untrusted comment: verify with openbsd-75-base.pub RWRGj1pRpprAfqQHsGsYNaXs2Yr3c7Rz7s48rIakO+KM8AuaE/IY6QqC/36e7B0ueHBtCCxyEArxlkKIjHyuhGkGh77Ec3FWbQ8= OpenBSD 7.5 errata 015, January 10, 2025: Traffic sent over wg(4) could result in kernel crash. Apply by doing: signify -Vep /etc/signify/openbsd-75-base.pub -x 015_wg.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install a new kernel: KK=`sysctl -n kern.osversion | cut -d# -f1` cd /usr/src/sys/arch/`machine`/compile/$KK make obj make config make make install Index: sys/net/if_wg.c =================================================================== RCS file: /cvs/src/sys/net/if_wg.c,v diff -u -p -r1.37 if_wg.c --- sys/net/if_wg.c 5 Mar 2024 17:48:01 -0000 1.37 +++ sys/net/if_wg.c 7 Jan 2025 09:23:19 -0000 @@ -859,11 +859,15 @@ wg_send_buf(struct wg_softc *sc, struct { struct mbuf *m; int ret = 0; + size_t mlen = len + max_hdr; retry: m = m_gethdr(M_WAIT, MT_DATA); - m->m_len = 0; - m_copyback(m, 0, len, buf, M_WAIT); + if (mlen > MHLEN) + MCLGETL(m, M_WAIT, mlen); + m_align(m, len); + m->m_pkthdr.len = m->m_len = len; + memcpy(mtod(m, void *), buf, len); /* As we're sending a handshake packet here, we want high priority */ m->m_pkthdr.pf.prio = IFQ_MAXPRIO; @@ -1303,9 +1307,6 @@ wg_send_keepalive(void *_peer) return; } - m->m_len = 0; - m_calchdrlen(m); - t->t_peer = peer; t->t_mbuf = NULL; t->t_done = 0; @@ -1507,9 +1508,10 @@ wg_encap(struct wg_softc *sc, struct mbu t = wg_tag_get(m); peer = t->t_peer; - plaintext_len = min(WG_PKT_WITH_PADDING(m->m_pkthdr.len), t->t_mtu); + plaintext_len = WG_PKT_WITH_PADDING(m->m_pkthdr.len); padding_len = plaintext_len - m->m_pkthdr.len; - out_len = sizeof(struct wg_pkt_data) + plaintext_len + NOISE_AUTHTAG_LEN; + out_len = sizeof(struct wg_pkt_data) + plaintext_len + + NOISE_AUTHTAG_LEN; /* * For the time being we allocate a new packet with sufficient size to @@ -1521,8 +1523,9 @@ wg_encap(struct wg_softc *sc, struct mbu * noise_remote_encrypt about mbufs, but we would need to sort out the * p_encap_queue situation first. */ - if ((mc = m_clget(NULL, M_NOWAIT, out_len)) == NULL) + if ((mc = m_clget(NULL, M_NOWAIT, out_len + max_hdr)) == NULL) goto error; + m_align(mc, out_len); data = mtod(mc, struct wg_pkt_data *); m_copydata(m, 0, m->m_pkthdr.len, data->buf); @@ -1559,8 +1562,7 @@ wg_encap(struct wg_softc *sc, struct mbu mc->m_pkthdr.ph_loopcnt = m->m_pkthdr.ph_loopcnt; mc->m_flags &= ~(M_MCAST | M_BCAST); - mc->m_len = out_len; - m_calchdrlen(mc); + mc->m_pkthdr.len = mc->m_len = out_len; /* * We would count ifc_opackets, ifc_obytes of m here, except if_snd