From: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Tue, 9 Feb 2021 14:00:59 +0000 (+0100)
Subject: device: lock elem in autodraining queue before freeing
X-Git-Tag: 0.0.20210212~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b5d15ec2b1f148b4f718ed16d7e7f022b19fe1b;p=thirdparty%2Fwireguard-go.git

device: lock elem in autodraining queue before freeing

Without this, we wind up freeing packets that the encryption/decryption
queues still have, resulting in a UaF.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---

diff --git a/device/channels.go b/device/channels.go
index 8cd6aee..4bd6090 100644
--- a/device/channels.go
+++ b/device/channels.go
@@ -89,6 +89,7 @@ func newAutodrainingInboundQueue(device *Device) chan *QueueInboundElement {
 				if elem == nil {
 					continue
 				}
+				elem.Lock()
 				device.PutMessageBuffer(elem.buffer)
 				device.PutInboundElement(elem)
 			default:
@@ -118,6 +119,7 @@ func newAutodrainingOutboundQueue(device *Device) chan *QueueOutboundElement {
 				if elem == nil {
 					continue
 				}
+				elem.Lock()
 				device.PutMessageBuffer(elem.buffer)
 				device.PutOutboundElement(elem)
 			default: