TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-07-18 11:38:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine/magicsock: fix lazyEndpoint DstIP() vs SrcIP() (#16453)

Browse Source 
These were flipped. DstIP() and DstIPBytes() are used internally by
wireguard-go as part of a handshake DoS mitigation strategy.

Updates tailscale/corp#20732
Updates tailscale/corp#30042

Signed-off-by: Jordan Whited <jordan@tailscale.com>
This commit is contained in:
Jordan Whited 2025-07-07 10:06:38 -07:00 committed by GitHub
parent 3b32cc7586
commit a84d58015c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
wgengine/magicsock/magicsock.go
View File

@ -3774,12 +3774,12 @@ func (c *Conn) SetLastNetcheckReportForTest(ctx context.Context, report *netchec
c.lastNetCheckReport.Store(report) c.lastNetCheckReport.Store(report)
} }
// lazyEndpoint is a wireguard conn.Endpoint for when magicsock received a // lazyEndpoint is a wireguard [conn.Endpoint] for when magicsock received a
// non-disco (presumably WireGuard) packet from a UDP address from which we // non-disco (presumably WireGuard) packet from a UDP address from which we
// can't map to a Tailscale peer. But Wireguard most likely can, once it // can't map to a Tailscale peer. But WireGuard most likely can, once it
// decrypts it. So we implement the conn.PeerAwareEndpoint interface // decrypts it. So we implement the [conn.PeerAwareEndpoint] interface
// from https://github.com/tailscale/wireguard-go/pull/27 to allow WireGuard // from https://github.com/tailscale/wireguard-go/pull/27 to allow WireGuard
// to tell us who it is later and get the correct conn.Endpoint. // to tell us who it is later and get the correct [conn.Endpoint].
type lazyEndpoint struct { type lazyEndpoint struct {
c *Conn c *Conn
src epAddr src epAddr
@ -3789,11 +3789,25 @@ var _ conn.PeerAwareEndpoint = (*lazyEndpoint)(nil)
var _ conn.Endpoint = (*lazyEndpoint)(nil) var _ conn.Endpoint = (*lazyEndpoint)(nil)
func (le *lazyEndpoint) ClearSrc() {} func (le *lazyEndpoint) ClearSrc() {}
func (le *lazyEndpoint) SrcIP() netip.Addr { return le.src.ap.Addr() } func (le *lazyEndpoint) SrcIP() netip.Addr { return netip.Addr{} }
func (le *lazyEndpoint) DstIP() netip.Addr { return netip.Addr{} }
func (le *lazyEndpoint) SrcToString() string { return le.src.String() } // DstIP returns the remote address of the peer.
func (le *lazyEndpoint) DstToString() string { return "dst" } //
func (le *lazyEndpoint) DstToBytes() []byte { return nil } // Note: DstIP is used internally by wireguard-go as part of handshake DoS
// mitigation.
func (le *lazyEndpoint) DstIP() netip.Addr { return le.src.ap.Addr() }
func (le *lazyEndpoint) SrcToString() string { return "" }
func (le *lazyEndpoint) DstToString() string { return le.src.String() }
// DstToBytes returns a binary representation of the remote address of the peer.
//
// Note: DstToBytes is used internally by wireguard-go as part of handshake DoS
// mitigation.
func (le *lazyEndpoint) DstToBytes() []byte {
b, _ := le.src.ap.MarshalBinary()
return b
}
// FromPeer implements [conn.PeerAwareEndpoint]. We return a [*lazyEndpoint] in // FromPeer implements [conn.PeerAwareEndpoint]. We return a [*lazyEndpoint] in
// our [conn.ReceiveFunc]s when we are unable to identify the peer at WireGuard // our [conn.ReceiveFunc]s when we are unable to identify the peer at WireGuard