diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2021-08-03 02:09:30 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-08-03 02:19:00 +0200 |
| commit | 7f0f10ad935d0770ab540d6e4dd543bc8120e5ba (patch) | |
| tree | 96f041a3aadfcf39d125a574267dd52b89e81ed6 | |
| parent | api: incorporate new win7 code signing technique (diff) | |
| download | wireguard-nt-7f0f10ad935d0770ab540d6e4dd543bc8120e5ba.tar.xz wireguard-nt-7f0f10ad935d0770ab540d6e4dd543bc8120e5ba.zip | |
driver: receive: don't use ParentNetBuffer when passing off NBLs to NDIS
Otherwise WFP attempts to correlate flows and winds up dereferencing
garbage in ParentNetBuffer->NetBufferListInfo[WfpNetBufferListInfo].
Reported-by: Sam Sun <sam@samczsun.com>
Reported-by: Jauder Ho <jauderho@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
| -rw-r--r-- | driver/queueing.h | 4 | ||||
| -rw-r--r-- | driver/receive.c | 1 |
2 files changed, 2 insertions, 3 deletions
diff --git a/driver/queueing.h b/driver/queueing.h index 81f49c5..ea87ca3 100644 --- a/driver/queueing.h +++ b/driver/queueing.h @@ -109,7 +109,7 @@ PeerSerialDequeue(_Inout_ PEER_SERIAL *Serial) * NBL[1] = prev queue link * NB[0-1] = nonce * NB[2] = keypair - * NB[3] = <empty> + * NB[3] = wsk datagram indication (rx only) */ #define NET_BUFFER_NONCE(Nb) (*(UINT64 *)&NET_BUFFER_MINIPORT_RESERVED(Nb)[0]) #define NET_BUFFER_LIST_KEYPAIR(Nbl) \ @@ -118,7 +118,7 @@ PeerSerialDequeue(_Inout_ PEER_SERIAL *Serial) #define NET_BUFFER_LIST_CRYPT_STATE(Nbl) ((LONG *)&NET_BUFFER_LIST_MINIPORT_RESERVED(Nbl)[0]) #define NET_BUFFER_LIST_PER_PEER_LIST_LINK(Nbl) (*(NET_BUFFER_LIST **)&NET_BUFFER_LIST_MINIPORT_RESERVED(Nbl)[1]) #define NET_BUFFER_LIST_PROTOCOL(Nbl) ((UINT16_BE)(ULONG_PTR)NET_BUFFER_LIST_INFO(Nbl, NetBufferListProtocolId)) -#define NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl) (*(WSK_DATAGRAM_INDICATION **)&Nbl->ParentNetBufferList) +#define NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl) (*(WSK_DATAGRAM_INDICATION **)&NET_BUFFER_MINIPORT_RESERVED(NET_BUFFER_LIST_FIRST_NB(Nbl))[3]) /* receive.c APIs: */ _IRQL_requires_max_(DISPATCH_LEVEL) diff --git a/driver/receive.c b/driver/receive.c index 9fc9cdb..cda511a 100644 --- a/driver/receive.c +++ b/driver/receive.c @@ -616,7 +616,6 @@ FreeReceiveNetBufferList(WG_DEVICE *Wg, NET_BUFFER_LIST *First) NextNbl = NET_BUFFER_LIST_NEXT_NBL(Nbl); NET_BUFFER_LIST_NEXT_NBL(Nbl) = NULL; WSK_DATAGRAM_INDICATION *DatagramIndication = NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl); - NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl) = NULL; SOCKET *Socket = (SOCKET *)DatagramIndication->Next; DatagramIndication->Next = NULL; ((WSK_PROVIDER_DATAGRAM_DISPATCH *)Socket->Sock->Dispatch)->WskRelease(Socket->Sock, DatagramIndication); |