Skip to content

Commit

Permalink
Fix bug check in timer management routines
Browse files Browse the repository at this point in the history 
Commit b750b2c ("timer: refactor timers implementation")
has changed timer initialization logic and introduced a bug,
where calling SET_PEER ioctl after failed NEW_PEER ioctl
causes WDF_VIOLATION bug check, because we try to get a context
of a WDF object which is NULL.

Fix by adding NULL checks.

Note that this is not expected to happen with openvpn as a
driver client.

CVE: 2024-5198

Reported-By: Lukas Jokubauskas <[email protected]>
Signed-off-by: Lev Stipakov <[email protected]>
  • Loading branch information
@lstipakov
lstipakov committed May 23, 2024
1 parent b750b2c commit ed455c4
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
2 changes: 1 addition & 1 deletion PropertySheet.props
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<ImportGroup Label="PropertySheets" />
<PropertyGroup Label="UserMacros">
<OVPN_DCO_VERSION_MAJOR>1</OVPN_DCO_VERSION_MAJOR>
<OVPN_DCO_VERSION_MINOR>1</OVPN_DCO_VERSION_MINOR>
<OVPN_DCO_VERSION_MINOR>2</OVPN_DCO_VERSION_MINOR>
<OVPN_DCO_VERSION_PATCH>1</OVPN_DCO_VERSION_PATCH>
</PropertyGroup>
<PropertyGroup />
Expand Down
18 changes: 17 additions & 1 deletion timer.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,28 +170,44 @@ NTSTATUS OvpnTimerCreate(WDFOBJECT parent, WDFTIMER* timer)
return status;
}

#define CHECK_TIMER_HANDLE(timer) \
do { \
if ((timer) == WDF_NO_HANDLE) { \
LOG_ERROR("Timer handle is not initialized"); \
return; \
} \
} while (0)

VOID OvpnTimerSetXmitInterval(WDFTIMER timer, LONG xmitInterval)
{
CHECK_TIMER_HANDLE(timer);

POVPN_TIMER_CONTEXT timerCtx = OvpnGetTimerContext(timer);
timerCtx->xmitInterval = xmitInterval;
KeQuerySystemTime(&timerCtx->lastXmit);
}

VOID OvpnTimerSetRecvTimeout(WDFTIMER timer, LONG recvTimeout)
{
CHECK_TIMER_HANDLE(timer);

POVPN_TIMER_CONTEXT timerCtx = OvpnGetTimerContext(timer);
timerCtx->recvTimeout = recvTimeout;
KeQuerySystemTime(&timerCtx->lastRecv);
}

VOID OvpnTimerResetXmit(WDFTIMER timer)
{
CHECK_TIMER_HANDLE(timer);

POVPN_TIMER_CONTEXT timerCtx = OvpnGetTimerContext(timer);
KeQuerySystemTime(&timerCtx->lastXmit);
}

VOID OvpnTimerResetRecv(WDFTIMER timer)
{
CHECK_TIMER_HANDLE(timer);

POVPN_TIMER_CONTEXT timerCtx = OvpnGetTimerContext(timer);
KeQuerySystemTime(&timerCtx->lastRecv);
}
}

0 comments on commit ed455c4

Please sign in to comment.