driver: do not assume aligned addresses when allocating MDLs

IoAllocateMdl allocates a different size structure depending on the
bottom in-page bits of the address. By passing null, it assumes that the
address is aligned within the page, which it might not be. Fix this by
passing the eventual virtual address to the allocation function so that
the right amount is always allocated.

Reported-by: Oleksandr Muzychuk <oleksandr.muzychuk@apriorit.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/driver/wintun.c b/driver/wintun.c
index 3e615bb..7cb72bb 100644
--- a/driver/wintun.c
+++ b/driver/wintun.c
@@ -517,13 +517,15 @@ TunProcessReceiveData(_Inout_ TUN_CTX *Ctx)
             break;
 
         RingHead = TUN_RING_WRAP(RingHead + AlignedPacketSize, RingCapacity);
-        MDL *Mdl = IoAllocateMdl(NULL, PacketSize, FALSE, FALSE, NULL);
+        VOID *PacketAddr =
+            (UCHAR *)MmGetMdlVirtualAddress(Ctx->Device.Receive.Mdl) + (ULONG)(Packet->Data - (UCHAR *)Ring);
+        MDL *Mdl = IoAllocateMdl(PacketAddr, PacketSize, FALSE, FALSE, NULL);
         if (!Mdl)
             goto skipNbl;
         IoBuildPartialMdl(
             Ctx->Device.Receive.Mdl,
             Mdl,
-            (UCHAR *)MmGetMdlVirtualAddress(Ctx->Device.Receive.Mdl) + (ULONG)(Packet->Data - (UCHAR *)Ring),
+            PacketAddr,
             PacketSize);
         NET_BUFFER_LIST *Nbl = NdisAllocateNetBufferAndNetBufferList(Ctx->NblPool, 0, 0, Mdl, 0, PacketSize);
         if (!Nbl)