From 5dfb9270fc4afaa66af13271590918e3a14d6eda Mon Sep 17 00:00:00 2001
From: riastradh <riastradh@NetBSD.org>
Date: Mon, 31 Aug 2020 20:24:19 +0000
Subject: [PATCH] wg: mbuf m_freem audit.

1. wg_handle_msg_data frees m but the other wg_handle_msg_* just take
   a pointer to the mbuf content and not m itself, so free m in those
   cases.

2. Can't trivially prove that the pcq is empty by the time
   wg_destroy_peer runs pcq_destroy, so let's explicitly purge it
   just in case.

3. If wg_send_udp isn't doing udp_send or udp6_output, it still has
   to free m in the !INET6 error branch for IPv6 packets.

4. After rumpuser_wg_send_peer or rumpuser_wg_send_user, we still
   need to free the mbuf.
---
 sys/net/if_wg.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/sys/net/if_wg.c b/sys/net/if_wg.c
index 2b359dbc4f2e..1caabd08fb2d 100644
--- a/sys/net/if_wg.c
+++ b/sys/net/if_wg.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wg.c,v 1.37 2020/08/31 20:23:56 riastradh Exp $	*/
+/*	$NetBSD: if_wg.c,v 1.38 2020/08/31 20:24:19 riastradh Exp $	*/
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.37 2020/08/31 20:23:56 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.38 2020/08/31 20:24:19 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2683,11 +2683,13 @@ wg_handle_packet(struct wg_softc *wg, struct mbuf *m,
 		break;
 	case WG_MSG_TYPE_DATA:
 		wg_handle_msg_data(wg, m, src);
-		break;
+		/* wg_handle_msg_data frees m for us */
+		return;
 	default:
-		/* wg_validate_msg_header should already reject this case */
-		break;
+		panic("invalid message type: %d", wgm->wgm_type);
 	}
+
+	m_freem(m);
 }
 
 static void
@@ -3313,6 +3315,9 @@ wg_destroy_peer(struct wg_peer *wgp)
 	}
 	rw_exit(wg->wg_rwlock);
 
+	/* Purge pending packets.  */
+	wg_purge_pending_packets(wgp);
+
 	/* Halt all packet processing and timeouts.  */
 	softint_disestablish(wgp->wgp_si);
 	callout_halt(&wgp->wgp_rekey_timer, NULL);
@@ -3704,6 +3709,7 @@ wg_send_udp(struct wg_peer *wgp, struct mbuf *m)
 		error = udp6_output(sotoin6pcb(so), m, wgsatosin6(wgsa),
 		    NULL, curlwp);
 #else
+		m_freem(m);
 		error = EPROTONOSUPPORT;
 #endif
 	}
@@ -4653,6 +4659,8 @@ wg_send_user(struct wg_peer *wgp, struct mbuf *m)
 
 	wg_put_sa(wgp, wgsa, &psref);
 
+	m_freem(m);
+
 	return error;
 }
 
@@ -4692,6 +4700,8 @@ wg_input_user(struct ifnet *ifp, struct mbuf *m, const int af)
 
 	/* Send decrypted packets to users via a tun. */
 	rumpuser_wg_send_user(wg->wg_user, iov, 2);
+
+	m_freem(m);
 }
 
 static int