aboutsummaryrefslogtreecommitdiffstats
path: root/driver (follow)
Commit message (Collapse)AuthorAgeFilesLines
* driver: nsi: forward IRPs instead of failingJason A. Donenfeld2026-05-071-8/+15
| | | | | | | | We always have a file reference to get the proper nsi device object, so rather than failing, in most cases, we can properly service these requests. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: nsi: compare FilterDevice pointers under rundown protectionJason A. Donenfeld2026-05-071-2/+9
| | | | | | | | And also gate the PriorDispatch on the presence of an extension, which NDIS always has. Reported-by: Brian Diff <bdiff7311@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: nsi: re-initialize rundown protection atomicallyJason A. Donenfeld2026-05-071-3/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: noise: remove unused StaticPrivate variableJason A. Donenfeld2026-04-291-2/+0
| | | | | | | The stack version of this is never used, because it's long-lived, and so we always read it out of the peer struct. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: remove unused prefast suppressionsJason A. Donenfeld2026-04-212-3/+0
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: remove fixed codeql suppressionsJason A. Donenfeld2026-04-214-16/+0
| | | | | | | I fixed the CodeQL rules. Link: https://github.com/microsoft/Windows-Driver-Developer-Supplemental-Tools/pull/217 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: note that stack Endpoint is safe in SocketSendBufferAsReplyToNblJason A. Donenfeld2026-04-161-1/+1
| | | | | | | | | | WSK's WskSendTo copies addresses and control messages synchronously before returning STATUS_PENDING. Confirmed by reverse engineering afd.sys!WskProIRPSendTo and tcpip.sys!UdpSendMessages, which consume address and cmsg data in the transport dispatch call and store only the completion callback and IRP in the NBL context. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: allowedips: return STATUS_SUCCESS instead of 0Jason A. Donenfeld2026-04-161-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: use /DECLSPEC_ALIGN(n) instead of __declspec(align(n))Jason A. Donenfeld2026-04-156-15/+15
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: enable /std:clatest and use typeofJason A. Donenfeld2026-04-1414-67/+67
| | | | | | | | | | | | | | Use C23 typeof to eliminate redundant type parameters from the RCU macros. Also, drop mention of hoping to use alignas in TODO.md. It only goes on members of structs, not the struct type itself, which I find syntactically annoying, and it doesn't really confer any additional real benefits. Moving to C23 means that we must use __VA_OPT__. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: nsi: filter \Device\Nsi instead of polling in threadJason A. Donenfeld2026-04-146-152/+433
| | | | | | | | | | | | | | | | | This restores 217922a ("driver: device: hack around broken IP notifier by hijacking \Device\Nsi"), but does it right, hopefully. Since we're attaching to \Device\Nsi as a filter, we increment the refcount of the driver, which means Unload doesn't get called until we detach filtering. So we attach and detach on first and last device creation and destruction. A limitation of the old commit is that it missed notifications from netsh, because netsh sets the subinterface mtu, not the interface mtu. I've now updated the code to catch both updates. For WireGuard, they are effectively the same. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: containers: tiny SAL nitJason A. Donenfeld2026-04-141-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: crypto: zero state on MDL failureJason A. Donenfeld2026-04-141-5/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: allow retrying WskInit if it fails for the first userJason A. Donenfeld2026-04-141-1/+0
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: timers: set pending false before executing callbackJason A. Donenfeld2026-04-141-1/+1
| | | | | | This makes the re-arm logic work better. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: memory: fix bad parens in NT_SUCCESSJason A. Donenfeld2026-04-141-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: device: check ndis version firstJason A. Donenfeld2026-04-141-6/+6
| | | | | | This avoids having to cleanup if the version is wrong. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: receive: don't increment both discards and errorsJason A. Donenfeld2026-04-142-9/+9
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: receive: require exact header lengthsJason A. Donenfeld2026-04-141-6/+7
| | | | | | | | | This matches the behavior on Linux and other operating systems. Before, you could append a bunch of cruft, which would then not get copied to the header, while the MAC checker would still look at the end of the NBL, hashing garbage. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: use FIELD_SIZE instead of RTL_FIELD_SIZEJason A. Donenfeld2026-04-141-4/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: reset event object before reuseJason A. Donenfeld2026-04-141-0/+2
| | | | | | | | | | | | | Bad flow: - new event, Done - first op finishes sync, so STATUS_SUCCESS, which isn't pending, Done isn't consumed. - next op finishes async, so STATUS_PENDING, so we wait on it, but it's already consumed from before, so it doesn't wait. Fix this the easy way by always resetting the event always. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: free table if mem allocation failsJason A. Donenfeld2026-04-141-1/+3
| | | | | | Otherwise we leak table. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: reset v4 port when retrying on conflictJason A. Donenfeld2026-04-141-0/+1
| | | | | | | | If port 0 is passed, for a random port, it gets assigned on v4 allocation, and then can fail on v6 allocation it's already in use. In that case, set the port back to 0 so that it can try a new random port. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: do not leak socket owner processJason A. Donenfeld2026-04-141-0/+7
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: set allowedips flags to 0Jason A. Donenfeld2026-04-141-0/+1
| | | | | | This is better than returning garbage, in case we extend this later. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: mark the unsafe allowedip pointer as volatileJason A. Donenfeld2026-04-141-2/+2
| | | | | | That's what we do for the others, so why not this one? Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: try using NdisWdfGetAdapterContextFromAdapterHandle againJason A. Donenfeld2026-04-144-25/+20
| | | | | | | | | | | | The issue faced by 4309390 ("driver: ioctl: restore usage of FunctionalDeviceObject->Reserved") wasn't that Windows 10 RTM didn't have NdisWdfGetAdapterContextFromAdapterHandle(), but rather that DispatchPnp was being called very early with a different device object. We can fix this by simply testing to see if we have the right type of device. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: settle on using DeviceObject->ReservedJason A. Donenfeld2026-04-143-16/+2
| | | | | | | | | | Further experiments with NdisWdfGetAdapterContextFromAdapterHandle indicate it's probably less reliable than using ->Reserved, because it means dereferencing DeviceExension. Also get rid of the awkward IoctlHalt. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: fix whitespace errorJason A. Donenfeld2026-04-141-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: restore usage of FunctionalDeviceObject->ReservedJason A. Donenfeld2026-04-095-12/+39
| | | | | | | | | | | | | | | | | | | | | | | | Otherwise, on Windows 10 RTM, nt!KeBugCheckEx nt!KiBugCheckDispatch+0x69 nt!KiPageFault+0x248 nt!KiTryUnwaitThread+0x35 nt!KeSetEvent+0x188 wireguard!DispatchPnp+0x50 [driver\ioctl.c @ 677] nt!PnpAsynchronousCall+0xe5 nt!PiIrpQueryRemoveDevice+0x8c nt!PnpQueryRemoveLockedDeviceNode+0x69 nt!PnpDeleteLockedDeviceNode+0x84 nt!PnpDeleteLockedDeviceNodes+0xb1 nt!PnpProcessQueryRemoveAndEject+0x3d1 nt!PnpProcessTargetDeviceEvent+0xd9 nt!PnpDeviceEventWorker+0x33c nt!ExpWorkerThread+0xe9 nt!PspSystemThreadStartup+0x58 nt!KiStartSystemThread+0x16 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: remove code analysisJason A. Donenfeld2026-03-2713-52/+0
| | | | | | Microsoft is getting rid of it! Yikes. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: suppress invalid codeql warningsJason A. Donenfeld2026-03-274-1/+15
| | | | | | These are kind of bogus and use a variation of styles. Bah! Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: socket: suppress memory leak warningJason A. Donenfeld2026-03-271-0/+1
| | | | | | | We're allocating the IRP on the stack, so this shouldn't be a real issue. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: don't use paged dispatchers when not necessaryJason A. Donenfeld2026-03-271-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* build: remove SDVJason A. Donenfeld2026-03-272-14/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: apply clang-formatJason A. Donenfeld2026-03-273-6/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ioctl: removed unused halt eventJason A. Donenfeld2026-03-274-15/+0
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: port to windows 10Jason A. Donenfeld2026-03-278-158/+25
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: bump copyrightJason A. Donenfeld2026-03-2445-47/+47
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: allowedips: remove Seq linuxismJason A. Donenfeld2026-03-242-8/+0
| | | | | | | This was used in the Linux implementation for resuming iterations over netlink, but wound up finding no use case on NT. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: allowedips: add WG_IOCTL_ALLOWED_IP_REMOVE flagJason A. Donenfeld2026-03-245-39/+183
| | | | | | | | | This allows removing individual allowed IPs without having to clear them all out and dropping packets or relying on a dummy peer to have move semantics. Suggested-by: Jordan Rife <jordan@jrife.io> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: crypto: call streaming API objects "_CTX" instead of "_STATE"Jason A. Donenfeld2026-03-245-142/+142
| | | | | | This aligns with conventions in other projects, like Linux and OpenSSL. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: crypto: blake2s: reorder single-shot functionJason A. Donenfeld2026-03-244-8/+8
| | | | | | | This follows Linux's unification of conventions and is indeed more clear. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: ipc: send staged packets when setting initial private keyJason A. Donenfeld2026-03-241-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Packets bound for peers can queue up prior to the device private key being set. For example, if persistent keepalive is set, a packet is queued up to be sent as soon as the device comes up. However, if the private key hasn't been set yet, the handshake message never sends, and no timer is armed to retry, since that would be pointless. But, if a user later sets a private key, the expectation is that those queued packets, such as a persistent keepalive, are actually sent. So adjust the configuration logic to account for this edge case, and add a test case to make sure this works. Maxim noticed this with a wg-quick(8) config to the tune of: [Interface] PostUp = wg set %i private-key somefile [Peer] PublicKey = ... Endpoint = ... PersistentKeepalive = 25 Here, the private key gets set after the device comes up using a PostUp script, triggering the bug. Reported-by: Maxim Cournoyer <maxim.cournoyer@gmail.com> Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/ Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: allowedips: expand maximum node depthJason A. Donenfeld2023-12-112-12/+14
| | | | | | | | | | | | In the allowedips self-test, nodes are inserted into the tree, but it generated an even amount of nodes, but for checking maximum node depth, there is of course the root node, which makes the total number necessarily odd. With two few nodes added, it never triggered the maximum depth check like it should have. So, add 129 nodes instead of 128 nodes, and do so with a more straightforward scheme, starting with all the bits set, and shifting over one each time. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: PEER_UPDATE is supposed to be UPDATE_ONLYJason A. Donenfeld2021-10-192-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* api: adapter: replace INF Include/Needs hack with stub deviceJason A. Donenfeld2021-10-111-2/+0
| | | | | | | | | | | | Apparently breaking the guarantee of "Universal INF"s receives the big tsk tsk, so this commit is yet another way to set SuggestedInstanceId. We create an SwDevice, with DEVPKEY_Device_ClassGuid set to GUID_DEVCLASS_NET and an empty HWID, and then create the software regkey and add the keys we need. We then destroy the SwDevice, and recreate a new one with the same instance ID, this time with the proper parameters. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: add icon to device managerJason A. Donenfeld2021-10-113-0/+8
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* api: adapter: set suggested instance ID using INF instead of ourselvesJason A. Donenfeld2021-10-061-0/+2
| | | | | | This might allow us to more successfully move to using SwDevice. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* driver: inf: remove Windows 9x regkeyJason A. Donenfeld2021-10-061-1/+0
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Copyright © 1996 – 2026 Jason A. Donenfeld. All Rights Reverse Engineered.