[ros-diffs] [hbelusca] 74044: [WS2_32]: More fixes: - Perform success checks in WsAsyncCheckAndInitThread, in particular, check whether Context is correctly allocated, and check whether the WsAsyncThread was c...

Author: hbelusca Date: Sat Mar 4 00:35:02 2017 New Revision: 74044 URL: http://svn.reactos.org/svn/reactos?rev=74044&view=rev Log: [WS2_32]: More fixes: - Perform success checks in WsAsyncCheckAndInitThread, in particular, check whether Context is correctly allocated, and check whether the WsAsyncThread was correctly started up. In case of failure, perform the necessary cleanup, including calling WSACleanup(). - Check also the returned error code of WSAStartup. Fixes CID 1101934. - Fix logic mess-up in WsNqLookupServiceNext when updating NsQuery->ActiveProvider; - Fix copy-pasta errors (using 'lpafpProtocols' instead of 'lpcsaBuffer') in CopyQuerySetIndirectA and CopyQuerySetIndirectW, that triggered CID 513446 + CID 513447 (CopyQuerySetIndirectA), and CID 513444 + CID 513445 (CopyQuerySetIndirectW). - Check for 'lpdwBufferLength' pointer validity in WSALookupServiceNextW; - Check for 'lpdwBufferLength' and 'lpqsResults' pointers validity in WSALookupServiceNextA, and dereference lpdwBufferLength only afterwards. - Check for return value of RegCreateKeyEx in WsOpenRegistryRoot(), fixes CID 715923. Modified: trunk/reactos/dll/win32/ws2_32/src/async.c trunk/reactos/dll/win32/ws2_32/src/nsquery.c trunk/reactos/dll/win32/ws2_32/src/qshelpr.c trunk/reactos/dll/win32/ws2_32/src/rnr.c trunk/reactos/dll/win32/ws2_32/src/wsautil.c Modified: trunk/reactos/dll/win32/ws2_32/src/async.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/src/async… ============================================================================== --- trunk/reactos/dll/win32/ws2_32/src/async.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/src/async.c [iso-8859-1] Sat Mar 4 00:35:02 2017 @@ -847,6 +847,8 @@ { /* Initialize Thread Context */ Context = HeapAlloc(WsSockHeap, 0, sizeof(*Context)); + if (!Context) + goto Exit; /* Initialize the Queue and event */ WsAsyncQueue = &Context->AsyncQueue; @@ -855,7 +857,8 @@ WsAsyncEvent = Context->AsyncEvent; /* Prevent us from ever being killed while running */ - WSAStartup(MAKEWORD(2,2), &WsaData); + if (WSAStartup(MAKEWORD(2,2), &WsaData) != ERROR_SUCCESS) + goto Fail; /* Create the thread */ ThreadHandle = CreateThread(NULL, @@ -864,15 +867,31 @@ Context, 0, &Tid); + if (ThreadHandle == NULL) + { + /* Cleanup and fail */ + WSACleanup(); + goto Fail; + } /* Close the handle and set init */ CloseHandle(ThreadHandle); WsAsyncThreadInitialized = TRUE; } +Exit: /* Release the lock */ WsAsyncUnlock(); return WsAsyncThreadInitialized; + +Fail: + /* Close the event, free the Context */ + if (Context->AsyncEvent) + CloseHandle(Context->AsyncEvent); + HeapFree(WsSockHeap, 0, Context); + + /* Bail out */ + goto Exit; } VOID Modified: trunk/reactos/dll/win32/ws2_32/src/nsquery.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/src/nsque… ============================================================================== --- trunk/reactos/dll/win32/ws2_32/src/nsquery.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/src/nsquery.c [iso-8859-1] Sat Mar 4 00:35:02 2017 @@ -268,15 +268,12 @@ /* Acquire Query Lock */ WsNqLock(); - /* Save the current active provider */ - Provider = NsQuery->ActiveProvider; - - /* Check if one exists */ - if (Provider) - { - /* Get the next one */ - NextProvider = WsNqNextProvider(NsQuery, - NsQuery->ActiveProvider); + /* Check if we have an active provider */ + if (NsQuery->ActiveProvider) + { + /* Save the old provider and get the next one */ + Provider = NextProvider; + NextProvider = WsNqNextProvider(NsQuery, NsQuery->ActiveProvider); /* Was the old provider our active? */ if (Provider == NsQuery->ActiveProvider) @@ -327,8 +324,7 @@ { /* New query succeeded, set active provider now */ NsQuery->ActiveProvider = - WsNqNextProvider(NsQuery, - NsQuery->ActiveProvider); + WsNqNextProvider(NsQuery, NsQuery->ActiveProvider); } } else Modified: trunk/reactos/dll/win32/ws2_32/src/qshelpr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/src/qshel… ============================================================================== --- trunk/reactos/dll/win32/ws2_32/src/qshelpr.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/src/qshelpr.c [iso-8859-1] Sat Mar 4 00:35:02 2017 @@ -499,8 +499,8 @@ sizeof(PVOID)); /* Copy it into the buffer */ - RtlCopyMemory(RelativeSet->lpafpProtocols, - AnsiSet->lpafpProtocols, + RtlCopyMemory(RelativeSet->lpcsaBuffer, + AnsiSet->lpcsaBuffer, AnsiSet->dwNumberOfCsAddrs * sizeof(CSADDR_INFO)); /* Copy the addresses inside the CSADDR */ @@ -693,8 +693,8 @@ sizeof(PVOID)); /* Copy it into the buffer */ - RtlCopyMemory(RelativeSet->lpafpProtocols, - UnicodeSet->lpafpProtocols, + RtlCopyMemory(RelativeSet->lpcsaBuffer, + UnicodeSet->lpcsaBuffer, UnicodeSet->dwNumberOfCsAddrs * sizeof(CSADDR_INFO)); /* Copy the addresses inside the CSADDR */ Modified: trunk/reactos/dll/win32/ws2_32/src/rnr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/src/rnr.c… ============================================================================== --- trunk/reactos/dll/win32/ws2_32/src/rnr.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/src/rnr.c [iso-8859-1] Sat Mar 4 00:35:02 2017 @@ -397,8 +397,9 @@ return SOCKET_ERROR; } - /* Verify pointer */ - if (IsBadWritePtr(lpqsResults, sizeof(*lpqsResults))) + /* Verify pointers */ + if (IsBadReadPtr(lpdwBufferLength, sizeof(*lpdwBufferLength)) || + IsBadWritePtr(lpqsResults, sizeof(*lpqsResults))) { /* It is invalid; fail */ SetLastError(WSAEFAULT); @@ -437,9 +438,20 @@ OUT LPWSAQUERYSETA lpqsResults) { LPWSAQUERYSETW UnicodeQuerySet; - DWORD UnicodeQuerySetSize = *lpdwBufferLength; + DWORD UnicodeQuerySetSize; INT ErrorCode; DPRINT("WSALookupServiceNextA: %lx\n", hLookup); + + /* Verify pointers */ + if (IsBadReadPtr(lpdwBufferLength, sizeof(*lpdwBufferLength)) || + IsBadWritePtr(lpqsResults, sizeof(*lpqsResults))) + { + /* It is invalid; fail */ + SetLastError(WSAEFAULT); + return SOCKET_ERROR; + } + + UnicodeQuerySetSize = *lpdwBufferLength; /* Check how much the user is giving */ if (UnicodeQuerySetSize >= sizeof(WSAQUERYSETW)) Modified: trunk/reactos/dll/win32/ws2_32/src/wsautil.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/src/wsaut… ============================================================================== --- trunk/reactos/dll/win32/ws2_32/src/wsautil.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/src/wsautil.c [iso-8859-1] Sat Mar 4 00:35:02 2017 @@ -31,15 +31,15 @@ if (ErrorCode == ERROR_FILE_NOT_FOUND) { /* Create it */ - RegCreateKeyEx(HKEY_LOCAL_MACHINE, - WINSOCK_ROOT, - 0, - NULL, - REG_OPTION_NON_VOLATILE, - KEY_ALL_ACCESS, - NULL, - &WinsockRootKey, - &CreateDisposition); + ErrorCode = RegCreateKeyEx(HKEY_LOCAL_MACHINE, + WINSOCK_ROOT, + 0, + NULL, + REG_OPTION_NON_VOLATILE, + KEY_ALL_ACCESS, + NULL, + &WinsockRootKey, + &CreateDisposition); } else if (ErrorCode == ERROR_SUCCESS) {