Merge pull request #1583 from safing/fix/kext-bug

[windows_kext] Add check for previously injected packets in the ALE layer
safing · Jun 13, 2024 · dc4d506 · dc4d506
2 parents 866aef1 + db49f9a
commit dc4d506
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/windows_kext/driver/src/ale_callouts.rs b/windows_kext/driver/src/ale_callouts.rs
@@ -109,6 +109,15 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
         return;
     };
 
+    // Check if packet was previously injected from the packet layer.
+    if device
+        .injector
+        .was_network_packet_injected_by_self(data.get_layer_data() as _, ale_data.is_ipv6)
+    {
+        data.action_permit();
+        return;
+    }
+
     match ale_data.protocol {
         IpProtocol::Tcp | IpProtocol::Udp => {
             // Only TCP and UDP make sense to be supported in the ALE layer.
@@ -226,7 +235,11 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
         };
 
         // Connection is not in cache, add it.
-        crate::dbg!("ale layer adding connection: {} PID: {}", key, ale_data.process_id);
+        crate::dbg!(
+            "ale layer adding connection: {} PID: {}",
+            key,
+            ale_data.process_id
+        );
         if ale_data.is_ipv6 {
             let conn =
                 ConnectionV6::from_key(&key, ale_data.process_id, ale_data.direction).unwrap();

diff --git a/windows_kext/driver/src/device.rs b/windows_kext/driver/src/device.rs
@@ -164,6 +164,7 @@ impl Device {
                             crate::connection::Verdict::RedirectNameServer
                             | crate::connection::Verdict::RedirectTunnel => {
                                 if let Some(redirect_info) = redirect_info {
+                                    // Will not redirect packets from ALE layer
                                     if let Err(err) = packet.redirect(redirect_info) {
                                         err!("failed to redirect packet: {}", err);
                                     }
@@ -173,6 +174,8 @@ impl Device {
                                 }
                             }
                             _ => {
+                                // Inject only ALE layer. This will trigger proper block/drop.
+                                // Packet layer just drop the packet.
                                 if let Err(err) = self.inject_packet(packet, true) {
                                     err!("failed to inject packet: {}", err);
                                 }

diff --git a/windows_kext/driver/src/packet_callouts.rs b/windows_kext/driver/src/packet_callouts.rs
@@ -173,6 +173,7 @@ fn ip_packet_layer(
                         data.action_block();
                     }
                     Verdict::Undeterminable | Verdict::PermanentDrop | Verdict::Failed => {
+                        send_request_to_portmaster = false;
                         data.block_and_absorb();
                     }
                     Verdict::RedirectNameServer | Verdict::RedirectTunnel => {