git.ipfire.org Git - thirdparty/wireguard-go.git/commit

device: allocate new buffer in receive death spiral

Note: this bug is "hidden" by avoiding "death spiral" code path by
6228659 ("device: handle broader range of errors in RoutineReceiveIncoming").

If the code reached "death spiral" mechanism, there would be multiple
double frees happening. This results in a deadlock on iOS, because the
pools are fixed size and goroutine might stop until somebody makes
space in the pool.

This was almost 100% repro on the new ARM Macbooks:

- Build with 'ios' tag for Mac. This will enable bounded pools.
- Somehow call device.IpcSet at least couple of times (update config)
- device.BindUpdate() would be triggered
- RoutineReceiveIncoming would enter "death spiral".
- RoutineReceiveIncoming would stall on double free (pool is already
full)
- The stuck routine would deadlock 'device.closeBindLocked()' function
on line 'netc.stopping.Wait()'

Signed-off-by: Kristupas Antanavičius <kristupas.antanavicius@nordsec.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

author	Kristupas Antanavičius <kristupas.antanavicius@nordsec.com>
	Mon, 12 Apr 2021 11:50:58 +0000 (14:50 +0300)
committer	Jason A. Donenfeld <Jason@zx2c4.com>
	Mon, 12 Apr 2021 17:14:53 +0000 (11:14 -0600)
commit	d2fd0c0cc07029f879f6611d3b52e4c33bd78b0b
tree	755c13d27a0101086e7249afc16932d4ecaa9ac6	tree \| snapshot
parent	5f6bbe4ae8b2e46bcf71e9476fb29c30a9cb4d79	commit \| diff