device: lock elem in autodraining queue before freeing

Without this, we wind up freeing packets that the encryption/decryption
queues still have, resulting in a UaF.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

diff --git a/device/channels.go b/device/channels.go
index 8cd6aee3168b7822d37c34cd0a7df8b8c6ff1662..4bd60909792f2254d9e4e26ad95410e72715cba6 100644 (file)
--- a/device/channels.go
+++ b/device/channels.go
@@ -89,6 +89,7 @@ func newAutodrainingInboundQueue(device *Device) chan *QueueInboundElement {
                                if elem == nil {
                                        continue
                                }
+                               elem.Lock()
                                device.PutMessageBuffer(elem.buffer)
                                device.PutInboundElement(elem)
                        default:
@@ -118,6 +119,7 @@ func newAutodrainingOutboundQueue(device *Device) chan *QueueOutboundElement {
                                if elem == nil {
                                        continue
                                }
+                               elem.Lock()
                                device.PutMessageBuffer(elem.buffer)
                                device.PutOutboundElement(elem)
                        default: