From 1477c7262a734a5768c500cbfd3173944682c20b Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Thu, 2 Jun 2022 09:55:37 +0000 Subject: wireguard: fix crash by not sending arp via wg interface Type: fix Currently, neighbor adjacencies on a wg interface are converted into a midchain only if one of the peers has a matching allowed prefix configured. If create a route that goes through a wg interface but the next-hop address does not match any allowed prefixes, an ARP/ND request will try to be sent via the wg interface to resolve the next-hop address when matching traffic occurs. And sending an ARP request will cause VPP to crash while copying hardware address of the wg interface which is NULL. Sending an ND message will not cause VPP to crash but the error logged will be unclear (no source address). With this fix, convert all neighbor adjacencies on a wg interface into a midchain and update tests to cover the case. If there is no matching allowed prefix configured, traffic going such routes will be dropped because of "Peer error". No changes if there is matching allowed prefix configured. Also, fix getting peer by adjacency index. Signed-off-by: Alexander Chernavin Change-Id: I15bc1e1f83de719e97edf3f7210a5359a35bddbd --- src/plugins/wireguard/wireguard_peer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/plugins/wireguard/wireguard_peer.h') diff --git a/src/plugins/wireguard/wireguard_peer.h b/src/plugins/wireguard/wireguard_peer.h index f3d80fbf9fe..a14f2692b1c 100644 --- a/src/plugins/wireguard/wireguard_peer.h +++ b/src/plugins/wireguard/wireguard_peer.h @@ -166,7 +166,7 @@ wg_peer_get (index_t peeri) static inline index_t wg_peer_get_by_adj_index (index_t ai) { - if (ai > vec_len (wg_peer_by_adj_index)) + if (ai >= vec_len (wg_peer_by_adj_index)) return INDEX_INVALID; return (wg_peer_by_adj_index[ai]); } -- cgit 1.2.3-korg