diff options
author | David S. Miller <davem@davemloft.net> | 2020-03-18 18:51:43 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-03-18 18:51:43 -0700 |
commit | 36d129bf5e934d2c22966cd5ba99e970402cc362 (patch) | |
tree | cbe8424419b8eca14736eb0ab02ce5f9c509915a /drivers/net/wireguard/queueing.h | |
parent | 105ba8ae51e0178462b4cdf2f82c6e98fac19c04 (diff) | |
parent | c5e5f40e27f6b87324ae89d175879cf35498632c (diff) | |
download | wireguard-linux-trimmed-36d129bf5e934d2c22966cd5ba99e970402cc362.tar.gz wireguard-linux-trimmed-36d129bf5e934d2c22966cd5ba99e970402cc362.zip |
Merge branch 'wireguard-fixes'
Jason A. Donenfeld says:
====================
wireguard fixes for 5.6-rc7
I originally intended to spend this cycle working on fun optimizations
and architecture for WireGuard for 5.7, but I've been a bit neurotic
about having 5.6 ship without any show stopper bugs. WireGuard has been
stable for a long time now, but that doesn't make me any less nervous
about the real deal in 5.6. To that end, I've been doing code reviews
and having discussions, and we also had a security firm audit the code.
That audit didn't turn up any vulnerabilities, but they did make a good
defense-in-depth suggestion. This series contains:
1) Removal of a duplicated header, from YueHaibing.
2) Testing with 64-bit time in our test suite.
3) Account for skb->protocol==0 due to AF_PACKET sockets, suggested
by Florian Fainelli.
4) Clean up some code in an unreachable switch/case branch, suggested
by Florian Fainelli.
5) Better handling of low-order points, discussed with Mathias
Hall-Andersen.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/wireguard/queueing.h')
-rw-r--r-- | drivers/net/wireguard/queueing.h | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/net/wireguard/queueing.h b/drivers/net/wireguard/queueing.h index fecb559..cf1e0e2 100644 --- a/drivers/net/wireguard/queueing.h +++ b/drivers/net/wireguard/queueing.h @@ -66,7 +66,7 @@ struct packet_cb { #define PACKET_PEER(skb) (PACKET_CB(skb)->keypair->entry.peer) /* Returns either the correct skb->protocol value, or 0 if invalid. */ -static inline __be16 wg_skb_examine_untrusted_ip_hdr(struct sk_buff *skb) +static inline __be16 wg_examine_packet_protocol(struct sk_buff *skb) { if (skb_network_header(skb) >= skb->head && (skb_network_header(skb) + sizeof(struct iphdr)) <= @@ -81,6 +81,12 @@ static inline __be16 wg_skb_examine_untrusted_ip_hdr(struct sk_buff *skb) return 0; } +static inline bool wg_check_packet_protocol(struct sk_buff *skb) +{ + __be16 real_protocol = wg_examine_packet_protocol(skb); + return real_protocol && skb->protocol == real_protocol; +} + static inline void wg_reset_packet(struct sk_buff *skb) { skb_scrub_packet(skb, true); |