diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-09-16 12:06:32 +0000 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-09-16 12:08:33 +0000 |
commit | a90b3088904b3ffdfb3e0f5c4931e92494e370a9 (patch) | |
tree | 6a95f59dc54122bef09b786c655054b1438d2cd3 | |
parent | driver: Replace depreciated ExAllocatePoolWithTag (diff) | |
download | wintun-a90b3088904b3ffdfb3e0f5c4931e92494e370a9.tar.xz wintun-a90b3088904b3ffdfb3e0f5c4931e92494e370a9.zip |
driver: allow userspace to write garbage
Not discouraging userspace from skipping checking IP packets seems like
a bad thing, but they skip it anyway, so at least avoid the DoS due to
API misuse.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | driver/wintun.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/driver/wintun.c b/driver/wintun.c index 79952e4..2e740e2 100644 --- a/driver/wintun.c +++ b/driver/wintun.c @@ -509,6 +509,8 @@ TunProcessReceiveData(_Inout_ TUN_CTX *Ctx) if (AlignedPacketSize > RingContent) break; + RingHead = TUN_RING_WRAP(RingHead + AlignedPacketSize, RingCapacity); + ULONG NblFlags; USHORT NblProto; if (PacketSize >= 20 && Packet->Data[0] >> 4 == 4) @@ -522,9 +524,8 @@ TunProcessReceiveData(_Inout_ TUN_CTX *Ctx) NblProto = HTONS(NDIS_ETH_TYPE_IPV6); } else - break; + goto skipNbl; - RingHead = TUN_RING_WRAP(RingHead + AlignedPacketSize, RingCapacity); VOID *PacketAddr = (UCHAR *)MmGetMdlVirtualAddress(Ctx->Device.Receive.Mdl) + (ULONG)(Packet->Data - (UCHAR *)Ring); MDL *Mdl = IoAllocateMdl(PacketAddr, PacketSize, FALSE, FALSE, NULL); |