This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

This function is reachable by sending a RNDIS Set request with OID 0xFC030202 (OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA) from the Guest to the Host.

The associated structure IPSEC_OFFLOAD_V2_ADD_SA is defined here: https://msdn.microsoft.com/en-us/library/windows/hardware/ff556977(v=vs.85).aspx

Issue #3:

As the function name hints, it translates a V2 ADD structure to a V2 ADD EX one. While the function properly allocates memory based on the KeyLength member, it fails to check that it falls within the bounds of the source buffer.

.text:0000000000062C62 mov ecx, [rdi+0A4h] ; IPSEC_OFFLOAD_V2_ADD_SA.KeyLength
.text:0000000000062C68 mov dword ptr [rbx+0A0h], 0B0h
.text:0000000000062C72 lea rdx, [rdi+0A8h] ; Src
.text:0000000000062C79 mov [rbx+9Ch], ecx
.text:0000000000062C7F mov r8d, [rdi+0A4h] ; Size
.text:0000000000062C86 lea rcx, [rbx+0B0h] ; Dst
.text:0000000000062C8D call memmove

This results in a R0 OOBR that leads to a BugCheck within vmswitch.sys on the Host.

Please note that this issue has been silently fixed in Windows Server 2016 TP4 (and maybe prior).