if_ovpn: fix use-after-free of mbuf

m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.

Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.

PR:		283426
Test case by:	takahiro.kurosawa@gmail.com
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")

sys/net/if_ovpn.c

@@ -2255,12 +2255,6 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
 
 	M_ASSERTPKTHDR(m);
 
-	m = m_unshare(m, M_NOWAIT);
-	if (m == NULL) {
-		OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
-		return (true);
-	}
-
 	OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off);
 
 	ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
@@ -2288,6 +2282,12 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
 		return (false);
 	}
 
+	m = m_unshare(m, M_NOWAIT);
+	if (m == NULL) {
+		OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
+		return (true);
+	}
+
 	m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen);
 	if (m == NULL) {
 		OVPN_RUNLOCK(sc);

tests/sys/net/if_ovpn/if_ovpn.sh

@@ -106,6 +106,86 @@ atf_test_case "4in4" "cleanup"
 	ovpn_cleanup
 }
 
+atf_test_case "bz283426" "cleanup"
+bz283426_head()
+{
+	atf_set descr 'FreeBSD Bugzilla 283426'
+	atf_set require.user root
+	atf_set require.progs openvpn python3
+}
+
+bz283426_body()
+{
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	jexec a ifconfig ${l}a 192.0.2.1/24 up
+	vnet_mkjail b ${l}b
+	jexec b ifconfig ${l}b 192.0.2.2/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp4
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		bind 0.0.0.0:1194
+		server 198.51.100.0 255.255.255.0
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote 192.0.2.1
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Give the tunnel time to come up
+	sleep 10
+
+	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
+
+	# Send a broadcast packet in the outer link.
+	echo "import socket as sk
+s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM)
+s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1)
+s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3
+
+	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+bz283426_cleanup()
+{
+	ovpn_cleanup
+}
+
 atf_test_case "4mapped" "cleanup"
 4mapped_head()
 {
@@ -1033,6 +1113,7 @@ gcm_128_cleanup()
 atf_init_test_cases()
 {
 	atf_add_test_case "4in4"
+	atf_add_test_case "bz283426"
 	atf_add_test_case "4mapped"
 	atf_add_test_case "6in4"
 	atf_add_test_case "6in6"