OpenVPN/tap-windows6
1
0
Fork 0
mirror of https://github.com/OpenVPN/tap-windows6.git synced 2025-05-09 03:11:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential integer overflow in TapSharedSendPacket

Browse Source 
Following code:

  unsigned int            fullLength;
  <..>
  fullLength = PacketLength + PrefixLength;

could cause integer overflow, which will result in allocation
of smaller size of memory, which later causes buffer overflow and
a bug check.

Fix by checking overflow condition and fail the IRP in case of
overflow.

CVE: 2024-1305

Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This commit is contained in:
Lev Stipakov 2024-02-27 14:19:07 +02:00 committed by Lev Stipakov
parent dc230ae845
commit 0cad8664c2
2 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/rxpath.c
View File

@ -26,6 +26,8 @@
// Include files. // Include files.
// //
#include <limits.h>
#include "tap.h" #include "tap.h"
//====================================================================== //======================================================================
@ -398,14 +400,24 @@ TapSharedSendPacket(
) )
{ {
PIO_STACK_LOCATION irpSp; PIO_STACK_LOCATION irpSp;
unsigned int fullLength;
PNET_BUFFER_LIST netBufferList = NULL; PNET_BUFFER_LIST netBufferList = NULL;
PMDL mdl = NULL; // Head of MDL chain. PMDL mdl = NULL; // Head of MDL chain.
LONG nblCount; LONG nblCount;
irpSp = IoGetCurrentIrpStackLocation( Irp ); irpSp = IoGetCurrentIrpStackLocation( Irp );
fullLength = PacketLength + PrefixLength;
// check for possible ULONG overflow
if ((ULONG_MAX - PacketLength) < PrefixLength)
{
DEBUGP (("[%s] Packet size with prefix exceeds ULONG_MAX\n", MINIPORT_INSTANCE_ID (Adapter)));
NOTE_ERROR ();
// Fail the IRP
Irp->IoStatus.Information = 0;
return STATUS_INSUFFICIENT_RESOURCES;
}
ULONG fullLength = PacketLength + PrefixLength;
if(fullLength < TAP_MIN_FRAME_SIZE) if(fullLength < TAP_MIN_FRAME_SIZE)
{ {

8
version.m4
View File

@ -2,14 +2,14 @@ dnl define the TAP version
define([PRODUCT_NAME], [TAP-Windows]) define([PRODUCT_NAME], [TAP-Windows])
define([PRODUCT_PACKAGE_NAME], [tap-windows]) define([PRODUCT_PACKAGE_NAME], [tap-windows])
define([PRODUCT_PUBLISHER], [OpenVPN Technologies, Inc.]) define([PRODUCT_PUBLISHER], [OpenVPN Technologies, Inc.])
define([PRODUCT_VERSION], [9.26.0]) define([PRODUCT_VERSION], [9.27.0])
define([PRODUCT_VERSION_RESOURCE], [9,26,0,0]) define([PRODUCT_VERSION_RESOURCE], [9,27,0,0])
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MAJOR], [9]) define([PRODUCT_TAP_WIN_MAJOR], [9])
define([PRODUCT_TAP_WIN_MINOR], [26]) define([PRODUCT_TAP_WIN_MINOR], [27])
define([PRODUCT_TAP_WIN_REVISION], [0]) define([PRODUCT_TAP_WIN_REVISION], [0])
define([PRODUCT_TAP_WIN_BUILD], [0]) define([PRODUCT_TAP_WIN_BUILD], [0])
define([PRODUCT_TAP_WIN_PROVIDER], [TAP-Windows Provider V9]) define([PRODUCT_TAP_WIN_PROVIDER], [TAP-Windows Provider V9])
define([PRODUCT_TAP_WIN_CHARACTERISTICS], [0x1]) define([PRODUCT_TAP_WIN_CHARACTERISTICS], [0x1])
define([PRODUCT_TAP_WIN_DEVICE_DESCRIPTION], [TAP-Windows Adapter V9]) define([PRODUCT_TAP_WIN_DEVICE_DESCRIPTION], [TAP-Windows Adapter V9])
define([PRODUCT_TAP_WIN_RELDATE], [04/27/2023]) define([PRODUCT_TAP_WIN_RELDATE], [02/27/2024])