Replay window is only 4 packets wide, instead of 32

smartalock / wireguard-lwip

WireGuard Implementation for lwIP

Other

192 stars 29 forks source link

Replay window is only 4 packets wide, instead of 32 #4

Closed bwindrim closed 1 year ago

bwindrim commented 1 year ago

In wireguard_check_replay(), wireguard.c line 324, the replay window size is declared as:

size_t ReplayWindowSize = sizeof(keypair->replay_bitmap); // 32 bits

but this gives a value of 4, so that only 4 of the 32 bits in the replay bitmap are used. In RFC2401, which this is based on, the window size is declared as:

enum { ReplayWindowSize = 32 };

This discrepancy shouldn't cause failures, but could cause out-of-order packets to be dropped unnecessarily.

smartalock commented 1 year ago

Thanks for reporting this - it looks like a bug. This should be fixed in commit 63b5865852a2af308c6c2034a60637600b44e0b3