From a90b3088904b3ffdfb3e0f5c4931e92494e370a9 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 16 Sep 2021 12:06:32 +0000
Subject: driver: allow userspace to write garbage

Not discouraging userspace from skipping checking IP packets seems like
a bad thing, but they skip it anyway, so at least avoid the DoS due to
API misuse.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 driver/wintun.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/driver/wintun.c b/driver/wintun.c
index 79952e4..2e740e2 100644
--- a/driver/wintun.c
+++ b/driver/wintun.c
@@ -509,6 +509,8 @@ TunProcessReceiveData(_Inout_ TUN_CTX *Ctx)
         if (AlignedPacketSize > RingContent)
             break;
 
+        RingHead = TUN_RING_WRAP(RingHead + AlignedPacketSize, RingCapacity);
+
         ULONG NblFlags;
         USHORT NblProto;
         if (PacketSize >= 20 && Packet->Data[0] >> 4 == 4)
@@ -522,9 +524,8 @@ TunProcessReceiveData(_Inout_ TUN_CTX *Ctx)
             NblProto = HTONS(NDIS_ETH_TYPE_IPV6);
         }
         else
-            break;
+            goto skipNbl;
 
-        RingHead = TUN_RING_WRAP(RingHead + AlignedPacketSize, RingCapacity);
         VOID *PacketAddr =
             (UCHAR *)MmGetMdlVirtualAddress(Ctx->Device.Receive.Mdl) + (ULONG)(Packet->Data - (UCHAR *)Ring);
         MDL *Mdl = IoAllocateMdl(PacketAddr, PacketSize, FALSE, FALSE, NULL);
-- 
cgit v1.2.3-59-g8ed1b