diff options
author | Simon Rozman <simon@rozman.si> | 2019-03-28 12:07:55 +0100 |
---|---|---|
committer | Simon Rozman <simon@rozman.si> | 2019-03-28 12:08:14 +0100 |
commit | 5e5cb745531b94e7bedb203a78c6b05ca4cdd088 (patch) | |
tree | f2a8467776becbff49d0acde5709976b11e2a841 | |
parent | Check buffer for oversize after MDL size consultation (diff) | |
download | wintun-5e5cb745531b94e7bedb203a78c6b05ca4cdd088.tar.xz wintun-5e5cb745531b94e7bedb203a78c6b05ca4cdd088.zip |
Limit minimum size of exchange buffer
Signed-off-by: Simon Rozman <simon@rozman.si>
Diffstat (limited to '')
-rw-r--r-- | wintun.c | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -32,6 +32,8 @@ #define TUN_EXCH_ALIGNMENT 16 // Memory alignment in exchange buffers #define TUN_EXCH_MAX_IP_PACKET_SIZE (TUN_EXCH_MAX_PACKET_SIZE - sizeof(TUN_PACKET)) // Maximum IP packet size (headers + payload) #define TUN_EXCH_MAX_BUFFER_SIZE (TUN_EXCH_MAX_PACKETS * TUN_EXCH_MAX_PACKET_SIZE) // Maximum size of read/write exchange buffer +#define TUN_EXCH_MIN_BUFFER_SIZE_READ TUN_EXCH_MAX_PACKET_SIZE // Minimum size of read exchange buffer +#define TUN_EXCH_MIN_BUFFER_SIZE_WRITE (sizeof(TUN_PACKET)) // Minimum size of write exchange buffer #define TUN_QUEUE_MAX_NBLS 1000 typedef struct _TUN_PACKET { @@ -302,6 +304,18 @@ static NTSTATUS TunGetIrpBuffer(_In_ IRP *Irp, _Out_ UCHAR **buffer, _Out_ ULONG if (*size > TUN_EXCH_MAX_BUFFER_SIZE) return STATUS_INVALID_USER_BUFFER; + switch (stack->MajorFunction) { + case IRP_MJ_READ: + if (*size < TUN_EXCH_MIN_BUFFER_SIZE_READ) + return STATUS_INVALID_USER_BUFFER; + break; + + case IRP_MJ_WRITE: + if (*size < TUN_EXCH_MIN_BUFFER_SIZE_WRITE) + return STATUS_INVALID_USER_BUFFER; + break; + } + return STATUS_SUCCESS; } |