From 86a61df7bcad022f22afdd169e147155b89f8d85 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Wed, 8 Aug 2018 19:18:25 -0700
Subject: netlink: don't start over iteration on multipart non-first allowedips

Reported-by: Matt Layher <mdlayher@gmail.com>
---
 src/netlink.c      |  6 ++++--
 src/tests/netns.sh | 24 ++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 90c7aa2..3147587 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -165,7 +165,7 @@ static int get_device_start(struct netlink_callback *cb)
 static int get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
 {
 	struct wireguard_device *wg = (struct wireguard_device *)cb->args[0];
-	struct wireguard_peer *peer, *next_peer_cursor = NULL, *last_peer_cursor = (struct wireguard_peer *)cb->args[1];
+	struct wireguard_peer *peer, *next_peer_cursor, *last_peer_cursor;
 	struct allowedips_cursor *rt_cursor = (struct allowedips_cursor *)cb->args[2];
 	unsigned int peer_idx = 0;
 	struct nlattr *peers_nest;
@@ -173,6 +173,8 @@ static int get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
 	void *hdr;
 	int ret = -EMSGSIZE;
 
+	next_peer_cursor = last_peer_cursor = (struct wireguard_peer *)cb->args[1];
+
 	rtnl_lock();
 	mutex_lock(&wg->device_update_lock);
 	cb->seq = wg->device_update_gen;
@@ -220,9 +222,9 @@ static int get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
 	nla_nest_end(skb, peers_nest);
 
 out:
-	peer_put(last_peer_cursor);
 	if (!ret && !done && next_peer_cursor)
 		peer_get(next_peer_cursor);
+	peer_put(last_peer_cursor);
 	mutex_unlock(&wg->device_update_lock);
 	rtnl_unlock();
 
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index d1950a0..29e1fd4 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -439,6 +439,30 @@ n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
 n0 wg showconf wg0 > /dev/null
 ip0 link del wg0
 
+allowedips=( )
+for i in {1..197}; do
+        allowedips+=( abcd::$i )
+done
+saved_ifs="$IFS"
+IFS=,
+allowedips="${allowedips[*]}"
+IFS="$saved_ifs"
+ip0 link add wg0 type wireguard
+n0 wg set wg0 peer "$pub1"
+n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
+{
+	read -r pub allowedips
+	[[ $pub == "$pub1" && $allowedips == "(none)" ]]
+	read -r pub allowedips
+	[[ $pub == "$pub2" ]]
+	i=0
+	for _ in $allowedips; do
+		((++i))
+	done
+	((i == 197))
+} < <(n0 wg show wg0 allowed-ips)
+ip0 link del wg0
+
 ! n0 wg show doesnotexist || false
 
 ip0 link add wg0 type wireguard
-- 
cgit v1.2.3-59-g8ed1b