# What day-zero dug up in tcpip.sys Windows TCP/IP driver, 8,421 functions, no symbols. These are leads, not confirmed bugs — spots worth opening in Ghidra, not proof of anything. A length going into `NdisGetDataBuffer`: ``` len = ((arg2 & 0xf) << 2) - 20 ``` Low nibble times 4, minus 20 — a header-length field in 4-byte words with a 20-byte header subtracted off. Nibble under 5 and it underflows to ~4GB. A length walked through four functions, none of them bounding it, from a network entry point down into a packet parser: ``` 0x1400557d0 -> 0x140053d04 -> 0x14006323c -> 0x140061850 -> NdisGetDataBuffer ``` Every hop assumes someone else checked it. A handful of WFP functions (`WfpBufferCopy`, `WfpHandOffTupleStateToTemporaryAleEntry`) hand an unchecked value straight to `ExAllocatePool2` as the allocation size. One computes it as `(input << 4) + 0x2e` — multiply attacker input by 16, allocate that. And the spots that *do* bound the same `(nibble << 2)` length with a proper `<= 0x14` check — flagged as fine, not as findings. # Usage Easy start: ```py binspect.py tcpip.sys --trace``` ### How I made it Been working on it since a few months. Hope it's useful for your research! ### Contributions Contributions are welcome, just fork it, edit it and do a Pull Request!