From 6085957d9d2fe451645be4f0fc64cf27e759e145 Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Thu, 28 Mar 2019 11:47:30 +0100
Subject: [PATCH] Check buffer for oversize after MDL size consultation

Signed-off-by: Simon Rozman <simon@rozman.si>
---
 wintun.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/wintun.c b/wintun.c
index ad216c6..0e8de0d 100644
--- a/wintun.c
+++ b/wintun.c
@@ -288,8 +288,6 @@ static NTSTATUS TunGetIrpBuffer(_In_ IRP *Irp, _Out_ UCHAR **buffer, _Out_ ULONG
 	default:
 		return STATUS_INVALID_PARAMETER;
 	}
-	if (*size > TUN_EXCH_MAX_BUFFER_SIZE)
-		return STATUS_INVALID_USER_BUFFER;
 
 	/* Get buffer size and address. */
 	if (!Irp->MdlAddress)
@@ -301,6 +299,9 @@ static NTSTATUS TunGetIrpBuffer(_In_ IRP *Irp, _Out_ UCHAR **buffer, _Out_ ULONG
 	if (size_mdl < *size)
 		*size = size_mdl;
 
+	if (*size > TUN_EXCH_MAX_BUFFER_SIZE)
+		return STATUS_INVALID_USER_BUFFER;
+
 	return STATUS_SUCCESS;
 }