| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the allowedips self-test, nodes are inserted into the tree, but it
generated an even amount of nodes, but for checking maximum node depth,
there is of course the root node, which makes the total number
necessarily odd. With two few nodes added, it never triggered the
maximum depth check like it should have. So, add 129 nodes instead of
128 nodes, and do so with a more straightforward scheme, starting with
all the bits set, and shifting over one each time.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Apparently breaking the guarantee of "Universal INF"s receives the big
tsk tsk, so this commit is yet another way to set SuggestedInstanceId.
We create an SwDevice, with DEVPKEY_Device_ClassGuid set to
GUID_DEVCLASS_NET and an empty HWID, and then create the software regkey
and add the keys we need. We then destroy the SwDevice, and recreate a
new one with the same instance ID, this time with the proper parameters.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This might allow us to more successfully move to using SwDevice.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Presumably it's fighting with the _Post_nonnull_, so add an assumption
statement.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This driver has never actually made successful use of it, because we've
been wrongly matching against the FunctionalDeviceObject instead of
Stack->FileObject->DeviceObject. Yet, things seem to have worked fine
enough because of smart notification to the logger thread.
Furthermore, SwDevice calls halt immediately, because it constitutes a
surprise removal, which means we don't really even have time for the
fuse to go off.
And finally, dereferencing Table[i]->Object can race with the
destruction of that object, which is a UaF.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Since this is now a kernel thread, it doesn't make sense to compare to
the current PID.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
By calling WskInit in SocketInit, the later must be run at passive IRQL.
Actually, it is. This commit only updates the IRQL annotations
accordingly.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that MINIPORT_INITIALIZE can actually delay system load,
and we currently have reports of people's systems hanging indefinitely.
WskCaptureNPI is known to deadlock if called too early in boot (say,
from DriverEntry of a PnP driver), but it was thought that
MINIPORT_INITIALIZE was sufficiently late that it was okay. Perhaps that
assumption is incorrect. In case it is, this patch moves WSK
initialization to when sockets are created, which always happens in the
context of a user thread, which naturally happens late in boot and can
block.
We know empirically that MINIPORT_INITIALIZE can block system boot, by
adding a `KeDelayExecutionThread(KernelMode, FALSE, &(LARGE_INTEGER){
.QuadPart = -SEC_TO_SYS_TIME_UNITS(300) });` to the top and noting that
boot takes 5 minutes longer. So the theory that the assumption is
incorrect is at least plausible.
All this commit does is move the call to WskInit() from InitializeEx in
device.c to SocketInit() in socket.c. The diff looks more verbose than
it is because making WskInit static and removing its forward declaration
required shuffling some functions around in socket.c, but no code
changed during that shuffle.
Reported-by: Oliver Freyermuth <freyermuth@physik.uni-bonn.de>
Reported-by: Joshua Sjoding <joshua.sjoding@scjalliance.com>
Reported-by: John-Paul Andreini <jandreini@geonerco.com>
Reported-by: Arlo Clauser <Arlo@starcubedesign.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
It's ignored for PnP drivers.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
It turns out we can't wait on more than 64 handles at once, which
happens on monster systems with 128 cores. So, split this into chunks.
While we're at it, make both the normal and low-mem path use the same
logic, with the low-mem path simply doing 3 threads at once.
Reported-by: Joe Mulvihill <Joe.Mulvihill@Hardsuitlabs.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
Some routers using hardware NAT can't handle this. A packet goes through
initially, but then once the flow is established and it's offloaded to
the NAT hardware, the zero checksum causes most packets to be dropped.
So, unfortunately, we have to remove this optimization.
Reported-by: Christian Ã…rebrand <myspysgaddan@hotmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This was only present in 16.10. EWDK is at 16.9 and VS is now at 16.11.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Not only will this improve performance, but it will eliminate a big
issue with IP_PKTINFO.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Otherwise, we can't reply to incoming endpoints.
Reported-by: Peter Whisker <peter.whisker@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If we're being delivered packets from multiple CPUs so quickly that the
ring lock is contended for CPU tries, then it's safe to assume that the
queue is near capacity anyway, so just drop the packet rather than
spinning. This helps deal with multicore DoS that can interfere with
data path performance. It _still_ does not completely fix the issue, but
it again chips away at it.
Reported-by: Streun Fabio <fstreun@student.ethz.ch>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the cmsg only contains an IP_PKTINFO or IP_PKTINFO_EX, then on some
systems, the entire control message will be stripped out early before
passing it to WFP. Presumably this is an optimization gone bad. The lack
of a valid controlMessage member in FWPS_INCOMING_METADATA_VALUES0 when
callouts are triggered results in big problems.
Specifically, problems occur with drivers like NFSDK or McAfee or
various other applications users install that install callouts that
capture an outgoing packet, and then later reinject it (with, say,
FwpsInjectTransportSendAsync0). McAfee does this for their DPI. NFSDK
does this for their userspace parser library. Various things seem to use
this technique. The problem is that when IN_PKTINFO is stripped from
FWPS_INCOMING_METADATA_VALUES0, then it's not subsequently passed to
FwpsInjectTransportSendAsync0, so it's as if the packet was sent without
IP_PKTINFO in the first place. This causes routing loops, and users have
a dysfunctional tunnel with high CPU usage, as packets route round and
round. These issues go away when the callout and
FwpsInjectTransportSendAsync0 dance is removed, indicating that
IN_PKTINFO is working as intended in the rest of the networking stack.
It turns out that the faulty optimization only triggers if IP_PKTINFO is
the only control message used. So, we tag on a second control message
that (hopefully) does nothing; IP_WFP_REDIRECT_RECORDS seems like a
reasonable candidate. It happens to be Windows 8+, so we disable it on
Windows 7, which doesn't need the hack anyway. Adding an extra control
message and potentially adding additional overhead to the egress path is
pretty awful, but currently, I'm not aware of a better workaround.
Reported-by: Keshav Kejriwal <kesh.kejriwal@gmail.com>
Reported-by: Kai Haberzettl <khaberz@gmail.com>
Reported-by: Seyed Mohammad Hossein Amirkhalili <hosami@gmail.com>
Reported-by: Francky Meyer <francky.meyer@hotmail.fr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently the spinlock on incoming_handshake's skb_queue is highly
contended, and a torrent of handshake or cookie packets can bring the
data plane to its knees, simply by virtue of enqueueing the handshake
packets to be processed asynchronously. So, we try switching this to a
ring buffer to hopefully have less lock contention. If this is still a
problem, we can resurrect the MPMC ring buffer, but for now let's see if
good old ptr_ring does the trick.
Reported-by: Streun Fabio <fstreun@student.ethz.ch>
Reported-by: Joel Wanner <joel.wanner@inf.ethz.ch>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
With the way NAT and such is designed, this is never going to happen.
Give up on it.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
You can still create loops, but ever since we started making copies on
both RX and TX, and freeing TX buffers really early (after encryption),
we no longer have a stack chaining issue on free.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
It turns out the precision is very useful for diagnosing weird errors.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is a holdover from Linux, where we reset the packet before
consuming.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 217922afde75df527cada3224df8930264375fa1.
The NSI hijack works so well! But video game anti-cheat stuff make this
annoying.
At least GetIpInterfaceEntry only takes 70,000 cycles...
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is very dirty and reverse engineered, but it seems to work, and
it's a stop-gap solution until Windows patches ship.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Not pretty, but functional.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Let's assume that Windows is operating as described, and then later we
can hack around the limitations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
| |
It expects to receive the total space, with padding, for the cmsg length
argument, so pad out cmsg_len to the data padding multiple, which
amounts to the same thing. This will fix IPv6 endpoints.
Reported-by: Darren VanBuren <onekopaka@theoks.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
The most ridiculous function gets even more ridiculous: we need a heap
allocation. We should probably find a new strategy here, as this is
growing unwieldy.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This increases performance considerably.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is preparation for the next commit, which will attempt to allocate
everything at once for the RX path.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This should allow better transition between wifi and wired.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
We're not (yet?) doing cursored gets, so this isn't in use. Remove it.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Otherwise we wind up retrying and doing the routing generation
comparison at the top needlessly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
Jason A. Donenfeld
Simon Rozman