More various fixes (F-*)#125
Draft
gasbytes wants to merge 10 commits into
Draft
Conversation
…hakes per poll cycle) after the dos guard flag (under_load) - change the poll to check if under_load to include 8 max peers (from > to >=) this makes sure that when the peers are exactly 8, we still turn on the under_load flag, which means that it will require the peer to calculate the mac2 to prevent dos attacks and prevents the increase of the handshakes per_cycle before mac2 is calculated.
requests now only relipes will populate the cache and update the affected arp unit tests to match
… was up until 120s before refresh) initializing it with (UINT64_MAX - (uint64_t)WG_COOKIE_SECRET_MAX_AGE * 1000UL - 1)
…in a header value can no longer inject headers or smuggle body
…fore honouring an icmp port/prot_unreach
… an absent or mismatched server identifier can no longer deconfigure the lease this pretty much mirrors the guard already in dhcp_parse_ack
gasbytes
force-pushed
the
2026-05-25-findings-fixes
branch
from
c33f76c to
862ee3b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
c33f76c - validate the dhcp server-id in dhcp_msg_type so a forged dhcpnak with an absent or mismatched server identifier can no longer deconfigure the lease this pretty much mirrors the guard already in dhcp_parse_ack
3ae5ec9 - validate the tcp sequence number against the half-open send window before honouring an icmp port/prot_unreach
b197590 scope http percent-decoding to the request target so an encoded CRLF in a header value can no longer inject headers or smuggle body
2dcf41a - initialize the secret_birthdate so that the mac2 is not forgeable (it was up until 120s before refresh) initializing it with (UINT64_MAX - (uint64_t)WG_COOKIE_SECRET_MAX_AGE * 1000UL - 1)
349d1f2 - add missing ipv4 correcteness check (nibble must be 4)
8710a1d - add missing null guard in dhcp_send_request
7558e58 - add missing null check in wolfip_poll
4bdeea6 - add missing null check in wolfip_register_callback
7955e6d - prevent arp cache poisoning by no longer learning neighbors from arp requests now only relipes will populate the cache and update the affected arp unit tests to match
e31c232 - move the dev->handshakes_per_cycle increment (counts how many handshakes per poll cycle) after the dos guard flag (under_load) - change the poll to check if under_load to include 8 max peers (from > to >=)