From 6cf9ac71c3d4b712a1aa0da7e93b4382dfa7f274 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Mon, 10 May 2021 19:02:49 +0200 Subject: [PATCH] driver: do not assume aligned addresses when allocating MDLs IoAllocateMdl allocates a different size structure depending on the bottom in-page bits of the address. By passing null, it assumes that the address is aligned within the page, which it might not be. Fix this by passing the eventual virtual address to the allocation function so that the right amount is always allocated. Reported-by: Oleksandr Muzychuk Signed-off-by: Jason A. Donenfeld --- driver/wintun.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/driver/wintun.c b/driver/wintun.c index 3e615bb..7cb72bb 100644 --- a/driver/wintun.c +++ b/driver/wintun.c @@ -517,13 +517,15 @@ TunProcessReceiveData(_Inout_ TUN_CTX *Ctx) break; RingHead = TUN_RING_WRAP(RingHead + AlignedPacketSize, RingCapacity); - MDL *Mdl = IoAllocateMdl(NULL, PacketSize, FALSE, FALSE, NULL); + VOID *PacketAddr = + (UCHAR *)MmGetMdlVirtualAddress(Ctx->Device.Receive.Mdl) + (ULONG)(Packet->Data - (UCHAR *)Ring); + MDL *Mdl = IoAllocateMdl(PacketAddr, PacketSize, FALSE, FALSE, NULL); if (!Mdl) goto skipNbl; IoBuildPartialMdl( Ctx->Device.Receive.Mdl, Mdl, - (UCHAR *)MmGetMdlVirtualAddress(Ctx->Device.Receive.Mdl) + (ULONG)(Packet->Data - (UCHAR *)Ring), + PacketAddr, PacketSize); NET_BUFFER_LIST *Nbl = NdisAllocateNetBufferAndNetBufferList(Ctx->NblPool, 0, 0, Mdl, 0, PacketSize); if (!Nbl)