From patchwork Mon Feb 22 16:25:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 385813 Delivered-To: patch@linaro.org Received: by 2002:a02:290e:0:0:0:0:0 with SMTP id p14csp1419695jap; Mon, 22 Feb 2021 08:31:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJxw/enguDJxT8H28Hq5IB6gJeGxyNDIUKTNgRDTDcIjzgRiF4OvKjxDZ/xJD8/7W9vbkvZU X-Received: by 2002:aa7:cc98:: with SMTP id p24mr24211239edt.126.1614011480757; Mon, 22 Feb 2021 08:31:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614011480; cv=none; d=google.com; s=arc-20160816; b=dFuyrJabc85saaaLhY++7tVR2iIxEwMcKuf8uzkAiULTrC6G1R1R3WHz6b/G8ytTQB xXhetxvbLOpgrjj50uAk892K/OzEoA+rztefwPT40xcdmMrK4GlMATERpMEib0vvSGjq Jb4O+/mgx+8xa0iEfp+JkLEaY27jMZ8dz9U5sjf7jbzKYhYbLGlrL5rwGPblLKpDEL40 V/YhzE4yaTKwzzM63JCeKa51OKHvNt89rC4N/owTdqFCgo1LXgLUu67TfFBU/yfH7255 pOV+bI6DMQQ5zdACJVSkV5Z0/ejmDEh3OvGlh96juWQuCdG/lEp2GhyYKDWTLm6JADg2 gy7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=iys7Zy8lEPOpQwY9fqMEdYkFEKZRM2Rey0ir2dZq0gU=; b=NNSpxaJG01P39ZnasL7DK00ZTC8sD7s7yrskvhyQQCVxSHgt4sv0nBfNyORiINPXIA XBtOoSzPKqqdWT4YOp8SeyJIx0cwY/RxmTh4fL/9rFFiOpCHnjxIZ+anGfCna/OMlLQ3 IivN8vrjtz29pEM8jpgPuAHuQ4G6IBMbAzYowhzQ4YEcFXoWkEwaH5+JpFa1gqZl4s5P hbJOlI/PUm0LY2Haz0k4KaHrY+deWoDsOYFCrWjmi99EvnaAUoxc2GXx7VkYp+xai3Y3 QKdcZ7uzOKEMpdrMTxzZbDzWyCbkCvre0GYX8I87tz0o1qGy3//eDlGyV33elCrRdGJ5 LSxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=S+HX8SB7; spf=pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id se21si5744482ejb.362.2021.02.22.08.31.20; Mon, 22 Feb 2021 08:31:20 -0800 (PST) Received-SPF: pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=S+HX8SB7; spf=pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230223AbhBVQ3w (ORCPT + 9 others); Mon, 22 Feb 2021 11:29:52 -0500 Received: from mail.zx2c4.com ([104.131.123.232]:60986 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231615AbhBVQ2G (ORCPT ); Mon, 22 Feb 2021 11:28:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1614011162; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iys7Zy8lEPOpQwY9fqMEdYkFEKZRM2Rey0ir2dZq0gU=; b=S+HX8SB7MjZydRm0jDEeQaB90c8/pW+0qUIiL8MWz4UtXKZ0wpLVSiZZvzAPC9qTt5oid1 3MP6NNn6/T99hZHRxv7RrMrzzfHFZ7Q3M//zogdugt/L4lAM0QztjhTFlMoYv7YVMEFTXt lFsechFAjT8dhrBP2s8KK4EEtcHaK+s= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 3d0a66d4 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Mon, 22 Feb 2021 16:26:02 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Subject: [PATCH net 5/7] wireguard: device: do not generate ICMP for non-IP packets Date: Mon, 22 Feb 2021 17:25:47 +0100 Message-Id: <20210222162549.3252778-6-Jason@zx2c4.com> In-Reply-To: <20210222162549.3252778-1-Jason@zx2c4.com> References: <20210222162549.3252778-1-Jason@zx2c4.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If skb->protocol doesn't match the actual skb->data header, it's probably not a good idea to pass it off to icmp{,v6}_ndo_send, which is expecting to reply to a valid IP packet. So this commit has that early mismatch case jump to a later error label. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld --- drivers/net/wireguard/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) -- 2.30.1 diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c index cd51a2afa28e..8502e1b083ff 100644 --- a/drivers/net/wireguard/device.c +++ b/drivers/net/wireguard/device.c @@ -138,7 +138,7 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) else if (skb->protocol == htons(ETH_P_IPV6)) net_dbg_ratelimited("%s: No peer has allowed IPs matching %pI6\n", dev->name, &ipv6_hdr(skb)->daddr); - goto err; + goto err_icmp; } family = READ_ONCE(peer->endpoint.addr.sa_family); @@ -201,12 +201,13 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) err_peer: wg_peer_put(peer); -err: - ++dev->stats.tx_errors; +err_icmp: if (skb->protocol == htons(ETH_P_IP)) icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); else if (skb->protocol == htons(ETH_P_IPV6)) icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); +err: + ++dev->stats.tx_errors; kfree_skb(skb); return ret; }