From ddef84c5730ff62fe25210346a883a31cd488adf Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Mon, 18 May 2020 10:49:32 +0200
Subject: [PATCH] Protect against rogue routes by adversarial nodes

Do not blindly trust routes announced by other nodes.
This first step simply checks that announced routes are
inside the configured routed network.
---
 wg/wireguard.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/wg/wireguard.go b/wg/wireguard.go
index 887816a..d3fe47d 100644
--- a/wg/wireguard.go
+++ b/wg/wireguard.go
@@ -144,6 +144,9 @@ func (s *State) SetUpInterface(nodes []common.Node, routedNet *net.IPNet) error
 		})
 		// via routes
 		for _, route := range node.Routes {
+			if !routedNet.Contains(route.IP) {
+				continue
+			}
 			routes = append(routes, netlink.Route{
 				LinkIndex: link.Attrs().Index,
 				Dst:       &route,