wireguard: prevent segfault on non-adj packets

An unexpected packet that shows up on a Wireguard interace that happens not to have a forwarding peer will cause a segfault trying to index the vector of peers by adjacency. Rather than segfaulting, recognize a non-adjacent packet and drop it instead. This leaves open the question of what _should_ be happening to, say, IPv6 multicast packets. Signed-off-by: Jon Loeliger <jdl@netgate.com> Type: fix Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88 Change-Id: Ic0a29e6cf6fe812a4895ec11bedcca86c62e590b
author: Jon Loeliger <jdl@netgate.com> 2022-04-05 14:05:38 -0500
committer: Jon Loeliger <jdl@netgate.com> 2022-04-05 14:16:31 -0500
commit: 4ab55146ae2044a278a0110f9d26816f005e54bf (patch)
tree: e0e16d7bb29edf5955197af673b1459b5bc51dcb /src/plugins/wireguard/wireguard_output_tun.c
parent: 2f132efc3cafde5a0dd01ef8a91606528970cdf7 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/plugins/wireguard/wireguard_output_tun.c b/src/plugins/wireguard/wireguard_output_tun.c
index 14df692eebc..64aaba7947f 100644
--- a/src/plugins/wireguard/wireguard_output_tun.c
+++ b/src/plugins/wireguard/wireguard_output_tun.c
@@ -371,6 +371,11 @@ wg_output_tun_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
       if (PREDICT_FALSE (last_adj_index != adj_index))
 	{
 	  peeri = wg_peer_get_by_adj_index (adj_index);
+	  if (peeri == INDEX_INVALID)
+	    {
+	      b[0]->error = node->errors[WG_OUTPUT_ERROR_PEER];
+	      goto out;
+	    }
 	  peer = wg_peer_get (peeri);
 	}
author	Jon Loeliger <jdl@netgate.com>	2022-04-05 14:05:38 -0500
committer	Jon Loeliger <jdl@netgate.com>	2022-04-05 14:16:31 -0500
commit	4ab55146ae2044a278a0110f9d26816f005e54bf (patch)
tree	e0e16d7bb29edf5955197af673b1459b5bc51dcb /src/plugins/wireguard/wireguard_output_tun.c
parent	2f132efc3cafde5a0dd01ef8a91606528970cdf7 (diff)