From 0cad8664c2a51832df61f2e1853b6da317d1c129 Mon Sep 17 00:00:00 2001
From: Lev Stipakov <lev@openvpn.net>
Date: Tue, 27 Feb 2024 14:19:07 +0200
Subject: [PATCH] Fix potential integer overflow in TapSharedSendPacket

Following code:

  unsigned int            fullLength;
  <..>
  fullLength = PacketLength + PrefixLength;

could cause integer overflow, which will result in allocation
of smaller size of memory, which later causes buffer overflow and
a bug check.

Fix by checking overflow condition and fail the IRP in case of
overflow.

CVE: 2024-1305

Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
---
 src/rxpath.c | 18 +++++++++++++++---
 version.m4   |  8 ++++----
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/rxpath.c b/src/rxpath.c
index b63394e..a658c7e 100644
--- a/src/rxpath.c
+++ b/src/rxpath.c
@@ -26,6 +26,8 @@
 // Include files.
 //
 
+#include <limits.h>
+
 #include "tap.h"
 
 //======================================================================
@@ -398,14 +400,24 @@ TapSharedSendPacket(
     )
 {
     PIO_STACK_LOCATION      irpSp;
-    unsigned int            fullLength;
     PNET_BUFFER_LIST        netBufferList = NULL;
     PMDL                    mdl = NULL;    // Head of MDL chain.
     LONG                    nblCount;
 
-
     irpSp = IoGetCurrentIrpStackLocation( Irp );
-    fullLength = PacketLength + PrefixLength;
+
+    // check for possible ULONG overflow
+    if ((ULONG_MAX - PacketLength) < PrefixLength)
+    {
+        DEBUGP (("[%s] Packet size with prefix exceeds ULONG_MAX\n", MINIPORT_INSTANCE_ID (Adapter)));
+        NOTE_ERROR ();
+
+        // Fail the IRP
+        Irp->IoStatus.Information = 0;
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
+    ULONG fullLength = PacketLength + PrefixLength;
 
     if(fullLength < TAP_MIN_FRAME_SIZE)
     {
diff --git a/version.m4 b/version.m4
index 2795c40..f0abd2d 100644
--- a/version.m4
+++ b/version.m4
@@ -2,14 +2,14 @@ dnl define the TAP version
 define([PRODUCT_NAME], [TAP-Windows])
 define([PRODUCT_PACKAGE_NAME], [tap-windows])
 define([PRODUCT_PUBLISHER], [OpenVPN Technologies, Inc.])
-define([PRODUCT_VERSION], [9.26.0])
-define([PRODUCT_VERSION_RESOURCE], [9,26,0,0])
+define([PRODUCT_VERSION], [9.27.0])
+define([PRODUCT_VERSION_RESOURCE], [9,27,0,0])
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MAJOR], [9])
-define([PRODUCT_TAP_WIN_MINOR], [26])
+define([PRODUCT_TAP_WIN_MINOR], [27])
 define([PRODUCT_TAP_WIN_REVISION], [0])
 define([PRODUCT_TAP_WIN_BUILD], [0])
 define([PRODUCT_TAP_WIN_PROVIDER], [TAP-Windows Provider V9])
 define([PRODUCT_TAP_WIN_CHARACTERISTICS], [0x1])
 define([PRODUCT_TAP_WIN_DEVICE_DESCRIPTION], [TAP-Windows Adapter V9])
-define([PRODUCT_TAP_WIN_RELDATE], [04/27/2023])
+define([PRODUCT_TAP_WIN_RELDATE], [02/27/2024])