#oob-read
2 pages tagged with "oob-read"
infosec
- ndfltr.sys: a 32-bit offset+length wrap into a kernel OOB read โ glaurung found an integer-overflow-before-bounds-check in the windows NetworkDirect filter driver: a 32-bit (offset+length) validation that wraps while the use site applies the offset as a 64-bit addend, sending the source pointer ~4 GiB out of bounds. unprivileged on RDMA hosts, but a denial-of-service floor โ and one of three candidate sites was a false positive we caught before disclosing.
- tcpip.sys Fse/port-tracker per-message length underflow (kernel OOB read, SEH-caught) โ a confirmed integer underflow in the windows tcp/ip Fse/port-tracker (WSL2 mirrored-networking) transport hands a ~4GB declared length to the MIDL/NDR decoder over a <32-byte buffer. the kernel out-of-bounds read executes on a live kernel but is caught by an RPC structured-exception handler; the one possible escalation (an info-leak to the peer) is refuted by static analysis. real but benign, on an opt-in surface.