Fix potential integer overflow in TapSharedSendPacket

lstipakov · lstipakov · commit 0cad8664c2a5 · 2024-03-19T15:44:04.000+02:00
Following code:

  unsigned int            fullLength;
  &lt;..&gt;
  fullLength = PacketLength + PrefixLength;

could cause integer overflow, which will result in allocation
of smaller size of memory, which later causes buffer overflow and
a bug check.

Fix by checking overflow condition and fail the IRP in case of
overflow.

CVE: 2024-1305

Reported-by: Vladimir Tokarev &lt;vtokarev@microsoft.com&gt;
Signed-off-by: Lev Stipakov &lt;lev@openvpn.net&gt;
diff --git a/src/rxpath.c b/src/rxpath.c
@@ -26,6 +26,8 @@
 // Include files.
 //
 
+#include <limits.h>
+
 #include "tap.h"
 
 //======================================================================
@@ -398,14 +400,24 @@ TapSharedSendPacket(
     )
 {
     PIO_STACK_LOCATION      irpSp;
-    unsigned int            fullLength;
     PNET_BUFFER_LIST        netBufferList = NULL;
     PMDL                    mdl = NULL;    // Head of MDL chain.
     LONG                    nblCount;
 
-
     irpSp = IoGetCurrentIrpStackLocation( Irp );
-    fullLength = PacketLength + PrefixLength;
+
+    // check for possible ULONG overflow
+    if ((ULONG_MAX - PacketLength) < PrefixLength)
+    {
+        DEBUGP (("[%s] Packet size with prefix exceeds ULONG_MAX\n", MINIPORT_INSTANCE_ID (Adapter)));
+        NOTE_ERROR ();
+
+        // Fail the IRP
+        Irp->IoStatus.Information = 0;
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
+    ULONG fullLength = PacketLength + PrefixLength;
 
     if(fullLength < TAP_MIN_FRAME_SIZE)
     {
diff --git a/version.m4 b/version.m4
@@ -2,14 +2,14 @@ dnl define the TAP version
 define([PRODUCT_NAME], [TAP-Windows])
 define([PRODUCT_PACKAGE_NAME], [tap-windows])
 define([PRODUCT_PUBLISHER], [OpenVPN Technologies, Inc.])
-define([PRODUCT_VERSION], [9.26.0])
-define([PRODUCT_VERSION_RESOURCE], [9,26,0,0])
+define([PRODUCT_VERSION], [9.27.0])
+define([PRODUCT_VERSION_RESOURCE], [9,27,0,0])
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MAJOR], [9])
-define([PRODUCT_TAP_WIN_MINOR], [26])
+define([PRODUCT_TAP_WIN_MINOR], [27])
 define([PRODUCT_TAP_WIN_REVISION], [0])
 define([PRODUCT_TAP_WIN_BUILD], [0])
 define([PRODUCT_TAP_WIN_PROVIDER], [TAP-Windows Provider V9])
 define([PRODUCT_TAP_WIN_CHARACTERISTICS], [0x1])
 define([PRODUCT_TAP_WIN_DEVICE_DESCRIPTION], [TAP-Windows Adapter V9])
-define([PRODUCT_TAP_WIN_RELDATE], [04/27/2023])
+define([PRODUCT_TAP_WIN_RELDATE], [02/27/2024])
