From 4ab55146ae2044a278a0110f9d26816f005e54bf Mon Sep 17 00:00:00 2001
From: Jon Loeliger <jdl@netgate.com>
Date: Tue, 5 Apr 2022 14:05:38 -0500
Subject: wireguard: prevent segfault on non-adj packets

An unexpected packet that shows up on a Wireguard interace
that happens not to have a forwarding peer will cause a
segfault trying to index the vector of peers by adjacency.
Rather than segfaulting, recognize a non-adjacent packet
and drop it instead.

This leaves open the question of what _should_ be
happening to, say, IPv6 multicast packets.

Signed-off-by: Jon Loeliger <jdl@netgate.com>
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Change-Id: Ic0a29e6cf6fe812a4895ec11bedcca86c62e590b
---
 src/plugins/wireguard/wireguard_peer.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/plugins/wireguard/wireguard_peer.h')

diff --git a/src/plugins/wireguard/wireguard_peer.h b/src/plugins/wireguard/wireguard_peer.h
index 1af5799bc76..f3d80fbf9fe 100644
--- a/src/plugins/wireguard/wireguard_peer.h
+++ b/src/plugins/wireguard/wireguard_peer.h
@@ -166,6 +166,8 @@ wg_peer_get (index_t peeri)
 static inline index_t
 wg_peer_get_by_adj_index (index_t ai)
 {
+  if (ai > vec_len (wg_peer_by_adj_index))
+    return INDEX_INVALID;
   return (wg_peer_by_adj_index[ai]);
 }
 
-- 
cgit 1.2.3-korg