Check buffer for oversize after MDL size consultation

Signed-off-by: Simon Rozman <simon@rozman.si>
2019-03-28 11:47:30 +01:00 · 2019-03-28 11:47:30 +01:00 · 6085957d9d
commit 6085957d9d
parent 69d6f003e4
1 changed files with 3 additions and 2 deletions
--- a/wintun.c
+++ b/wintun.c
@ -288,8 +288,6 @@ static NTSTATUS TunGetIrpBuffer(_In_ IRP *Irp, _Out_ UCHAR **buffer, _Out_ ULONG
 	default:
 		return STATUS_INVALID_PARAMETER;
 	}
-	if (*size > TUN_EXCH_MAX_BUFFER_SIZE)
-		return STATUS_INVALID_USER_BUFFER;

 	/* Get buffer size and address. */
 	if (!Irp->MdlAddress)
@ -301,6 +299,9 @@ static NTSTATUS TunGetIrpBuffer(_In_ IRP *Irp, _Out_ UCHAR **buffer, _Out_ ULONG
 	if (size_mdl < *size)
 		*size = size_mdl;

+	if (*size > TUN_EXCH_MAX_BUFFER_SIZE)
+		return STATUS_INVALID_USER_BUFFER;
+
 	return STATUS_SUCCESS;
 }