Skip to content
Permalink
Browse files

Add buffer length check to OID_GEN_INTERRUPT_MODERATION query (CVE-20…

…18-11674)

The current code would not check if the buffer passed in from userland
is big enough to handle the returned struct.  So passing in a NULL
buffer or a too-short buffer can result in a BSOD or memory corruption.

Exploitable by a unprivileged usermode program, but not remotely.

Add length check, modeled after the existing OID_GEN_STATISTICS buffer
size check / error return.

Discovered by Cesar Cerrudo (IOActive), Ilja Van Sprundel (IOActive),
Enrique Nissim (IOActive).

v2:
  add Tested-By: and CVE ID
v3:
  fix size comparison (NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1)

CVE: 2018-11674

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Tested-by: Jon Kunkee <jkunkee@microsoft.com>
  • Loading branch information...
cron2 committed May 24, 2018
1 parent 8e437cb commit 443bb3b033c167467defa755b6d210e10c2dcd34
Showing with 8 additions and 0 deletions.
  1. +8 −0 src/oidrequest.c
@@ -648,10 +648,18 @@ Return Value:
break;

case OID_GEN_INTERRUPT_MODERATION:
if (OidRequest->DATA.QUERY_INFORMATION.InformationBufferLength < sizeof(NDIS_INTERRUPT_MODERATION_PARAMETERS))
{
status = NDIS_STATUS_INVALID_LENGTH;
OidRequest->DATA.QUERY_INFORMATION.BytesNeeded = sizeof(NDIS_INTERRUPT_MODERATION_PARAMETERS);
break;
}
else
{
PNDIS_INTERRUPT_MODERATION_PARAMETERS moderationParams
= (PNDIS_INTERRUPT_MODERATION_PARAMETERS)OidRequest->DATA.QUERY_INFORMATION.InformationBuffer;

{C_ASSERT(sizeof(NDIS_INTERRUPT_MODERATION_PARAMETERS) >= NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1);}
moderationParams->Header.Type = NDIS_OBJECT_TYPE_DEFAULT;
moderationParams->Header.Revision = NDIS_INTERRUPT_MODERATION_PARAMETERS_REVISION_1;
moderationParams->Header.Size = NDIS_SIZEOF_INTERRUPT_MODERATION_PARAMETERS_REVISION_1;

0 comments on commit 443bb3b

Please sign in to comment.
You can’t perform that action at this time.