From 1e1bb5780c31d28ae041769b611b70b4f35c7ede Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Mon, 12 Jun 2023 15:12:37 +0200
Subject: dummynet tests: attempt to provoke wf2q+ use-after-free

Attempt to provoke known use-after-free issues with WF2Q+.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
---
 tests/sys/netpfil/common/dummynet.sh | 55 ++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/tests/sys/netpfil/common/dummynet.sh b/tests/sys/netpfil/common/dummynet.sh
index 6f7981a043a8..9b8a93cba365 100644
--- a/tests/sys/netpfil/common/dummynet.sh
+++ b/tests/sys/netpfil/common/dummynet.sh
@@ -203,6 +203,59 @@ codel_cleanup()
 	firewall_cleanup $1
 }
 
+wf2q_heap_head()
+{
+	atf_set descr 'Test WF2Q+, attempting to provoke use-after-free'
+	atf_set require.user root
+}
+
+wf2q_heap_body()
+{
+	fw=$1
+	firewall_init $fw
+	dummynet_init $fw
+
+       j=dummynet_wf2q_heap_${fw}_
+
+       epair=$(vnet_mkepair)
+       epair_other=$(vnet_mkepair)
+       vnet_mkjail ${j}a ${epair}a
+       vnet_mkjail ${j}b ${epair}b ${epair_other}b
+
+       jexec ${j}a ifconfig ${epair}a up mtu 9000
+       va=$(jexec ${j}a ifconfig vlan create vlan 42 vlandev ${epair}a)
+       jexec ${j}a ifconfig ${va} 192.0.2.1/24 up #mtu 8000
+
+       jexec ${j}b ifconfig ${epair}b up mtu 9000
+       vb=$(jexec ${j}b ifconfig vlan create vlan 42 vlandev ${epair}b)
+       jexec ${j}b ifconfig ${vb} 192.0.2.2/24 up #mtu 8000
+       jexec ${j}b ifconfig ${epair_other}b up
+
+       # Sanity check
+       atf_check -s exit:0 -o ignore \
+           jexec ${j}b ping -c 1 192.0.2.1
+
+       jexec ${j}b dnctl pipe 1 config bw 10Mb queue 100 delay 500 droptail
+       jexec ${j}b dnctl sched 1 config pipe 1 type wf2q+
+       jexec ${j}b dnctl queue 1 config pipe 1 droptail
+
+       firewall_config ${j}b ${fw} \
+               "pf"    \
+                       "pass dnqueue 1"
+
+       jexec ${j}a ping -f 192.0.2.2 &
+       sleep 1
+
+       jexec ${j}b ifconfig ${vb} destroy
+
+       sleep 2
+}
+
+wf2q_heap_cleanup()
+{
+	firewall_cleanup $1
+}
+
 queue_head()
 {
 	atf_set descr 'Basic queue test'
@@ -478,6 +531,8 @@ setup_tests		\
 	codel		\
 		ipfw	\
 		pf	\
+	wf2q_heap	\
+		pf	\
 	queue		\
 		ipfw	\
 		pf	\
-- 
cgit v1.2.3