Add buffer length check to OID_GEN_INTERRUPT_MODERATION query (CVE-20…

…18-11674)

The current code would not check if the buffer passed in from userland
is big enough to handle the returned struct.  So passing in a NULL
buffer or a too-short buffer can result in a BSOD or memory corruption.

Exploitable by a unprivileged usermode program, but not remotely.

Add length check, modeled after the existing OID_GEN_STATISTICS buffer
size check / error return.

Discovered by Cesar Cerrudo (IOActive), Ilja Van Sprundel (IOActive),
Enrique Nissim (IOActive).

v2:
  add Tested-By: and CVE ID
v3:
  fix size comparison (NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1)

CVE: 2018-11674

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Tested-by: Jon Kunkee <jkunkee@microsoft.com>

src/oidrequest.c

@@ -648,10 +648,18 @@ Return Value:
         break;
 
     case OID_GEN_INTERRUPT_MODERATION:
+        if (OidRequest->DATA.QUERY_INFORMATION.InformationBufferLength < sizeof(NDIS_INTERRUPT_MODERATION_PARAMETERS))
+        {
+            status = NDIS_STATUS_INVALID_LENGTH;
+            OidRequest->DATA.QUERY_INFORMATION.BytesNeeded = sizeof(NDIS_INTERRUPT_MODERATION_PARAMETERS);
+            break;
+        }
+        else
         {
             PNDIS_INTERRUPT_MODERATION_PARAMETERS moderationParams
                 = (PNDIS_INTERRUPT_MODERATION_PARAMETERS)OidRequest->DATA.QUERY_INFORMATION.InformationBuffer;
 
+            {C_ASSERT(sizeof(NDIS_INTERRUPT_MODERATION_PARAMETERS) >= NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1);}
             moderationParams->Header.Type = NDIS_OBJECT_TYPE_DEFAULT; 
             moderationParams->Header.Revision = NDIS_INTERRUPT_MODERATION_PARAMETERS_REVISION_1;
             moderationParams->Header.Size = NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1;