Skip to content

Prevent potential integer overflow when computing PACKET_OID_DATA allocation size#1647

Open
nidu-ninja wants to merge 1 commit intothe-tcpdump-group:masterfrom
nidu-ninja:windows-npf-oid-allocation-overflow
Open

Prevent potential integer overflow when computing PACKET_OID_DATA allocation size#1647
nidu-ninja wants to merge 1 commit intothe-tcpdump-group:masterfrom
nidu-ninja:windows-npf-oid-allocation-overflow

Conversation

@nidu-ninja
Copy link
Copy Markdown

@nidu-ninja nidu-ninja commented Mar 7, 2026
edited
Loading

This change adds a defensive check when computing the allocation size for PACKET_OID_DATA structures used in Windows NPF OID request handling.

The allocation size is computed using:

offsetof(PACKET_OID_DATA, Data) + *lenp

If *lenp were extremely large, the addition could overflow size_t, which could cause malloc() to allocate a buffer smaller than intended.

In practice, lenp is provided by the calling application through the public API and is not derived from external input, so this should not be considered a vulnerability. However, adding an explicit check prevents the arithmetic from overflowing and makes the allocation logic more robust.

@nidu-ninja
This patch prevents a potential integer overflow when computing the a…
d6ea7aa 
…llocation size for PACKET_OID_DATA buffers used in Windows NPF OID request handlers.

Both oid_get_request() and pcap_oid_set_request_npf() allocate memory using a size derived from:

offsetof(PACKET_OID_DATA, Data) + *lenp

If *lenp is extremely large, this addition may overflow size_t, causing a small allocation while subsequent operations assume a larger buffer. This can lead to heap memory corruption when the driver writes OID response data into the buffer.

The patch introduces explicit overflow checks before computing the allocation size and uses a safe allocation pattern.
@infrastation
Copy link
Copy Markdown
Member

infrastation commented Mar 7, 2026

Please clean this up completely and explain why this is not a vulnerability.

@nidu-ninja nidu-ninja changed the title Fix integer overflow in PACKET_OID_DATA allocation for Windows NPF OID requests Prevent potential integer overflow when computing PACKET_OID_DATA allocation size Mar 8, 2026
@nidu-ninja
Copy link
Copy Markdown
Author

nidu-ninja commented Mar 8, 2026

Thank you for the review.

You are correct that this should not be considered a vulnerability. The lenp value is provided by the calling application through the public API and is not derived from external or attacker-controlled input such as packets, files, or driver responses. Because of that, an excessively large value would only occur if the application itself misused the API.

The change simply adds a defensive check before computing the allocation size:

offsetof(PACKET_OID_DATA, Data) + *lenp

If *lenp were extremely large, that arithmetic could overflow size_t, potentially resulting in a smaller allocation than intended. While this situation would require incorrect usage by the caller, the added check ensures the size calculation cannot overflow and makes the allocation logic safer.

I will clean up the patch and description to present this purely as a defensive improvement to the allocation size calculation rather than a security vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nidu-ninja @infrastation