From 96ad9f4f9fea1c1999aa7d46c150c3ab1134f043 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 29 Jun 2017 21:08:22 +0200
Subject: receive: fix off-by-one in packet length checking

This caused certain packets to be rejected that shouldn't be rejected,
in the case of certain scatter-gather ethernet drivers doing GRO pulling
right up to the UDP bounds but not beyond. This caused certain TCP
connections to fail.

Thanks very much to Reuben for providing access to the machine to debug
this regression.

Reported-by: Reuben Martin <reuben.m@gmail.com>
---
 src/receive.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/receive.c')

diff --git a/src/receive.c b/src/receive.c
index 492a62f..3ce472b 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -35,7 +35,7 @@ static inline int skb_prepare_header(struct sk_buff *skb, struct wireguard_devic
 	struct udphdr *udp;
 	size_t data_offset, data_len;
 	enum message_type message_type;
-	if (unlikely(skb_examine_untrusted_ip_hdr(skb) != skb->protocol || skb_transport_header(skb) < skb->head || (skb_transport_header(skb) + sizeof(struct udphdr)) >= skb_tail_pointer(skb)))
+	if (unlikely(skb_examine_untrusted_ip_hdr(skb) != skb->protocol || skb_transport_header(skb) < skb->head || (skb_transport_header(skb) + sizeof(struct udphdr)) > skb_tail_pointer(skb)))
 		return -EINVAL; /* Bogus IP header */
 	udp = udp_hdr(skb);
 	data_offset = (u8 *)udp - skb->data;
-- 
cgit v1.2.3-59-g8ed1b