fix: validate key lengths from kernel reply and fix try_again loop cleanup#20
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Correctness improvements for the WireGuard userspace IPC layer by validating key sizes returned from the kernel and hardening retry-loop cleanup, plus new repo configuration/docs for Beads-based issue tracking and agent tooling.
Changes:
- Validate netlink attribute payload lengths for private/public/psk key parsing before allocating/copying.
- In genkey/derive/psk retry loops, null out
nlgaftermnlg_socket_close()to avoid stale-pointer cleanup paths. - Add Beads/agent integration files (docs, hooks, config) and update
.gitignorefor Beads/Dolt artifacts.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| user-src/ipc-linux.h | Adds strict key-length validation and makes try_again cleanup safer by clearing nlg after close. |
| CLAUDE.md | Adds AI-agent workflow instructions with Beads integration guidance. |
| AGENTS.md | Adds agent operation guidance (non-interactive shell tips + Beads workflow). |
| .gitignore | Ignores Dolt/Beads artifacts (but also introduces broad *.db ignore). |
| .claude/settings.json | Configures Claude hooks to run bd prime on session start/compact. |
| .beads/metadata.json | Adds Beads backend metadata (Dolt embedded DB config). |
| .beads/config.yaml | Adds Beads configuration template/comments. |
| .beads/README.md | Adds Beads usage/readme documentation for the repo. |
| .beads/.gitignore | Adds Beads runtime/Dolt ignore rules scoped to .beads/. |
| .beads/hooks/prepare-commit-msg | Adds Beads-managed git hook wrapper script. |
| .beads/hooks/pre-push | Adds Beads-managed git hook wrapper script. |
| .beads/hooks/pre-commit | Adds Beads-managed git hook wrapper script. |
| .beads/hooks/post-merge | Adds Beads-managed git hook wrapper script. |
| .beads/hooks/post-checkout | Adds Beads-managed git hook wrapper script. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,69 @@ | |||
| # Project Instructions for AI Agents | |||
There was a problem hiding this comment.
The PR description states that changes are confined to user-src/ipc-linux.h, but this PR also adds multiple Beads/agent configuration and documentation files (e.g., CLAUDE.md, AGENTS.md, .beads/*, .claude/settings.json, and .gitignore). Please update the PR description to reflect these additional changes, or split the Beads/agent integration into a separate PR to keep the scope aligned.
…eanup In parse_privkey, parse_pubkey, and parse_psk: check that the payload length from the kernel netlink reply equals the expected key size (WG_PRIVATE_KEY_LEN, WG_PUBLIC_KEY_LEN, WG_SYMMETRIC_KEY_LEN) before allocating and copying. Return MNL_CB_ERROR on mismatch. In kernel_generate_privkey, kernel_derive_pubkey, and kernel_generate_psk: set nlg = NULL after mnlg_socket_close() in the out: cleanup block so that a stale pointer cannot be used on a subsequent try_again retry path.
MarkAtwood
force-pushed
the
fix/userspace-privkey-length-try-again-leak
branch
from
4f4eb2b to
b32cb62
Compare
Summary
Two correctness fixes in
user-src/ipc-linux.hfor the wolfguard userspace IPC code.Fix 1: Key length validation in parse_privkey, parse_pubkey, parse_psk
parse_privkey,parse_pubkey, andparse_pskpreviously usedmnl_attr_get_payload_len(attr)as both the allocation size and the copy length, with no check against the expected key size. A kernel response with the wrong payload length would be silently accepted, allocating and storing a buffer of the wrong size.The fix adds a length check against
WG_PRIVATE_KEY_LEN,WG_PUBLIC_KEY_LEN, andWG_SYMMETRIC_KEY_LENrespectively before allocating. On mismatch, the callback returnsMNL_CB_ERRORrather than allocating, matching the error-handling pattern used inparse_allowedips. The existingparse_deviceandparse_peercallbacks already applied this pattern (inline length checks before memcpy); this brings the genkey-specific parsers into conformance.Fix 2: nlg = NULL after mnlg_socket_close in try_again loops
kernel_generate_privkey,kernel_derive_pubkey, andkernel_generate_pskeach have atry_againloop. In theout:cleanup block,mnlg_socket_close(nlg)was called butnlgwas not set toNULLafterward. On agoto try_again, the stale (closed/freed) socket pointer remained innlg. Ifmnlg_socket_opensubsequently fails on the retry, the function returns early — but theout:block'sif (nlg)guard is misleading:nlgis non-NULL but invalid.The fix adds
nlg = NULLimmediately aftermnlg_socket_close(nlg)in eachout:block, making the cleanup safe regardless of retry behavior and matching defensive coding conventions.Files changed
user-src/ipc-linux.h: All changes are confined to the#ifndef NO_IPC_LLCRYPTOsection (parse callbacks and genkey/pubkey/psk kernel IPC functions).