From 7f0f10ad935d0770ab540d6e4dd543bc8120e5ba Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 3 Aug 2021 02:09:30 +0200
Subject: driver: receive: don't use ParentNetBuffer when passing off NBLs to
 NDIS

Otherwise WFP attempts to correlate flows and winds up dereferencing
garbage in ParentNetBuffer->NetBufferListInfo[WfpNetBufferListInfo].

Reported-by: Sam Sun <sam@samczsun.com>
Reported-by: Jauder Ho <jauderho@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 driver/queueing.h | 4 ++--
 driver/receive.c  | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/driver/queueing.h b/driver/queueing.h
index 81f49c5..ea87ca3 100644
--- a/driver/queueing.h
+++ b/driver/queueing.h
@@ -109,7 +109,7 @@ PeerSerialDequeue(_Inout_ PEER_SERIAL *Serial)
  * NBL[1] = prev queue link
  * NB[0-1] = nonce
  * NB[2] = keypair
- * NB[3] = <empty>
+ * NB[3] = wsk datagram indication (rx only)
  */
 #define NET_BUFFER_NONCE(Nb) (*(UINT64 *)&NET_BUFFER_MINIPORT_RESERVED(Nb)[0])
 #define NET_BUFFER_LIST_KEYPAIR(Nbl) \
@@ -118,7 +118,7 @@ PeerSerialDequeue(_Inout_ PEER_SERIAL *Serial)
 #define NET_BUFFER_LIST_CRYPT_STATE(Nbl) ((LONG *)&NET_BUFFER_LIST_MINIPORT_RESERVED(Nbl)[0])
 #define NET_BUFFER_LIST_PER_PEER_LIST_LINK(Nbl) (*(NET_BUFFER_LIST **)&NET_BUFFER_LIST_MINIPORT_RESERVED(Nbl)[1])
 #define NET_BUFFER_LIST_PROTOCOL(Nbl) ((UINT16_BE)(ULONG_PTR)NET_BUFFER_LIST_INFO(Nbl, NetBufferListProtocolId))
-#define NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl) (*(WSK_DATAGRAM_INDICATION **)&Nbl->ParentNetBufferList)
+#define NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl) (*(WSK_DATAGRAM_INDICATION **)&NET_BUFFER_MINIPORT_RESERVED(NET_BUFFER_LIST_FIRST_NB(Nbl))[3])
 
 /* receive.c APIs: */
 _IRQL_requires_max_(DISPATCH_LEVEL)
diff --git a/driver/receive.c b/driver/receive.c
index 9fc9cdb..cda511a 100644
--- a/driver/receive.c
+++ b/driver/receive.c
@@ -616,7 +616,6 @@ FreeReceiveNetBufferList(WG_DEVICE *Wg, NET_BUFFER_LIST *First)
         NextNbl = NET_BUFFER_LIST_NEXT_NBL(Nbl);
         NET_BUFFER_LIST_NEXT_NBL(Nbl) = NULL;
         WSK_DATAGRAM_INDICATION *DatagramIndication = NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl);
-        NET_BUFFER_LIST_DATAGRAM_INDICATION(Nbl) = NULL;
         SOCKET *Socket = (SOCKET *)DatagramIndication->Next;
         DatagramIndication->Next = NULL;
         ((WSK_PROVIDER_DATAGRAM_DISPATCH *)Socket->Sock->Dispatch)->WskRelease(Socket->Sock, DatagramIndication);
-- 
cgit v1.2.3-59-g8ed1b