rmnet: fix PacketLen missing QMAP_UL_CHECKSUM size in QMUX header for QMAP V2/V3/V4

[5656hcx]

Summary

Users observed QMAP header corruption, which is leading to the crash.
Ideally, the packet length in the status pointer should be greater than the length specified in the QMAP header.
((ipa_ul.curr_eot.curr_pkt.status_ptr)).exception = 4 = 0x4
((ipa_ul.curr_eot.curr_pkt.status_ptr)).pkt_len = 8 = 0x8

Analysis

When QMAP V2/V3/V4 (UL checksum offload) is active, each uplink QMAP frame is laid out as:

[QMAP header (4B)] [QMAP_UL_CHECKSUM (8B)] [IP data + padding (N+P bytes)]

The PacketLen field in the QMAP header tells the device (IPA) where the next frame begins. It should equal everything after the QMAP header: sizeof(QMAP_UL_CHECKSUM) + N + P.

The driver was setting PacketLen = N + P, omitting sizeof(QMAP_UL_CHECKSUM). This caused IPA's frame-boundary pointer to advance sizeof(QMAP_UL_CHECKSUM) bytes too early, so the trailing IP payload bytes were misread as the next QMAP header — producing a corrupt header and a crash:

IPA exception = 4
status.pkt_len = 8  <  qmap.pkt_len = 6746

Fix

In MPUSB_TLPTxPacket and MPUSB_TLPTxPacketEx (MPUsb.c), add sizeof(QMAP_UL_CHECKSUM) to PacketLen when a UL checksum header is present:

// Before
Qmap->PacketLen = RtlUshortByteSwap(sendBytes);

// After
if (QMAPEnabledV4 || QMAPEnabledV2 || QMAPEnabledV3)
    Qmap->PacketLen = RtlUshortByteSwap((USHORT)(sendBytes + sizeof(QMAP_UL_CHECKSUM)));
else
    Qmap->PacketLen = RtlUshortByteSwap((USHORT)sendBytes);  // V1: unchanged

Files Changed

• src/windows/ndis/MPUsb.c

---