Commit e0e1b6db authored Nov 05, 2025 by Asbjørn Sloth Tønnesen Committed by Jason A. Donenfeld Dec 01, 2025

wireguard: netlink: enable strict genetlink validation



WireGuard is a modern enough genetlink family, that it doesn't need
resv_start_op. It already had policies in place when it was first
merged, it has also never used the reserved field, or other things
toggled by resv_start_op.

wireguard-tools have always used zero initialized memory, and have never
touched the reserved field, neither have any other clients I have
checked. Closed-source clients are much more likely to use the
embeddedable library from wireguard-tools, than a DIY implementation
using uninitialized memory.

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

parent 0177f0f0

drivers/net/wireguard/netlink.c

+0 −1

Original line number	Diff line number	Diff line
		@@ -631,7 +631,6 @@ static const struct genl_ops genl_ops[] = {
		static struct genl_family genl_family __ro_after_init = {
		.ops = genl_ops,
		.n_ops = ARRAY_SIZE(genl_ops),
		.resv_start_op = WG_CMD_SET_DEVICE + 1,
		.name = WG_GENL_NAME,
		.version = WG_GENL_VERSION,
		.maxattr = WGDEVICE_A_MAX,