snow/wireguard-go
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

device: lock elem in autodraining queue before freeing

Browse source 
Without this, we wind up freeing packets that the encryption/decryption
queues still have, resulting in a UaF.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2021-02-09 15:00:59 +01:00
parent 6548a682a9
commit 4b5d15ec2b
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
device/channels.go
View file

@ -89,6 +89,7 @@ func newAutodrainingInboundQueue(device *Device) chan *QueueInboundElement {
if elem == nil { if elem == nil {
continue continue
} }
elem.Lock()
device.PutMessageBuffer(elem.buffer) device.PutMessageBuffer(elem.buffer)
device.PutInboundElement(elem) device.PutInboundElement(elem)
default: default:
@ -118,6 +119,7 @@ func newAutodrainingOutboundQueue(device *Device) chan *QueueOutboundElement {
if elem == nil { if elem == nil {
continue continue
} }
elem.Lock()
device.PutMessageBuffer(elem.buffer) device.PutMessageBuffer(elem.buffer)
device.PutOutboundElement(elem) device.PutOutboundElement(elem)
default: default: