Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add buffer length check to OID_GEN_INTERRUPT_MODERATION query (CVE-20…
…18-11674) The current code would not check if the buffer passed in from userland is big enough to handle the returned struct. So passing in a NULL buffer or a too-short buffer can result in a BSOD or memory corruption. Exploitable by a unprivileged usermode program, but not remotely. Add length check, modeled after the existing OID_GEN_STATISTICS buffer size check / error return. Discovered by Cesar Cerrudo (IOActive), Ilja Van Sprundel (IOActive), Enrique Nissim (IOActive). v2: add Tested-By: and CVE ID v3: fix size comparison (NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1) CVE: 2018-11674 Signed-off-by: Gert Doering <gert@greenie.muc.de> Tested-by: Jon Kunkee <jkunkee@microsoft.com>
- Loading branch information