Fix potential integer overflow in TapSharedSendPacket

Following code: unsigned int fullLength; <..> fullLength = PacketLength + PrefixLength; could cause integer overflow, which will result in allocation of smaller size of memory, which later causes buffer overflow and a bug check. Fix by checking overflow condition and fail the IRP in case of overflow. CVE: 2024-1305 Reported-by: Vladimir Tokarev <[email protected]> Signed-off-by: Lev Stipakov <[email protected]>
OpenVPN · Mar 19, 2024 · 0cad866 · 0cad866
1 parent dc230ae
commit 0cad866
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/src/rxpath.c b/src/rxpath.c
@@ -26,6 +26,8 @@
 // Include files.
 //
 
+#include <limits.h>
+
 #include "tap.h"
 
 //======================================================================
@@ -398,14 +400,24 @@ TapSharedSendPacket(
     )
 {
     PIO_STACK_LOCATION      irpSp;
-    unsigned int            fullLength;
     PNET_BUFFER_LIST        netBufferList = NULL;
     PMDL                    mdl = NULL;    // Head of MDL chain.
     LONG                    nblCount;
 
-
     irpSp = IoGetCurrentIrpStackLocation( Irp );
-    fullLength = PacketLength + PrefixLength;
+
+    // check for possible ULONG overflow
+    if ((ULONG_MAX - PacketLength) < PrefixLength)
+    {
+        DEBUGP (("[%s] Packet size with prefix exceeds ULONG_MAX\n", MINIPORT_INSTANCE_ID (Adapter)));
+        NOTE_ERROR ();
+
+        // Fail the IRP
+        Irp->IoStatus.Information = 0;
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
+    ULONG fullLength = PacketLength + PrefixLength;
 
     if(fullLength < TAP_MIN_FRAME_SIZE)
     {

diff --git a/version.m4 b/version.m4
@@ -2,14 +2,14 @@ dnl define the TAP version
 define([PRODUCT_NAME], [TAP-Windows])
 define([PRODUCT_PACKAGE_NAME], [tap-windows])
 define([PRODUCT_PUBLISHER], [OpenVPN Technologies, Inc.])
-define([PRODUCT_VERSION], [9.26.0])
-define([PRODUCT_VERSION_RESOURCE], [9,26,0,0])
+define([PRODUCT_VERSION], [9.27.0])
+define([PRODUCT_VERSION_RESOURCE], [9,27,0,0])
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MAJOR], [9])
-define([PRODUCT_TAP_WIN_MINOR], [26])
+define([PRODUCT_TAP_WIN_MINOR], [27])
 define([PRODUCT_TAP_WIN_REVISION], [0])
 define([PRODUCT_TAP_WIN_BUILD], [0])
 define([PRODUCT_TAP_WIN_PROVIDER], [TAP-Windows Provider V9])
 define([PRODUCT_TAP_WIN_CHARACTERISTICS], [0x1])
 define([PRODUCT_TAP_WIN_DEVICE_DESCRIPTION], [TAP-Windows Adapter V9])
-define([PRODUCT_TAP_WIN_RELDATE], [04/27/2023])
+define([PRODUCT_TAP_WIN_RELDATE], [02/27/2024])