14 Jan
2006
14 Jan
'06
4:31 p.m.
fixed possible buffer overflows in LookupAccountSidW():
LSA_UNICODE_STRINGs are not necessarily NULL-terminated!
Modified: trunk/reactos/lib/advapi32/sec/misc.c
_____
Modified: trunk/reactos/lib/advapi32/sec/misc.c
--- trunk/reactos/lib/advapi32/sec/misc.c 2006-01-14 16:18:45 UTC
(rev 20854)
+++ trunk/reactos/lib/advapi32/sec/misc.c 2006-01-14 16:31:28 UTC
(rev 20855)
@@ -872,15 +872,14 @@
PSID_NAME_USE peUse )
{
LSA_UNICODE_STRING SystemName;
- LSA_OBJECT_ATTRIBUTES ObjectAttributes;
- LSA_HANDLE PolicyHandle = INVALID_HANDLE_VALUE;
+ LSA_OBJECT_ATTRIBUTES ObjectAttributes = {0};
+ LSA_HANDLE PolicyHandle = NULL;
NTSTATUS Status;
PLSA_REFERENCED_DOMAIN_LIST ReferencedDomain = NULL;
PLSA_TRANSLATED_NAME TranslatedName = NULL;
BOOL ret;
RtlInitUnicodeString ( &SystemName, pSystemName );
- ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
Status = LsaOpenPolicy ( &SystemName, &ObjectAttributes,
POLICY_LOOKUP_NAMES, &PolicyHandle );
if ( !NT_SUCCESS(Status) )
{
@@ -910,7 +909,8 @@
else
{
*pdwAccountName = dwSrcLen;
- wcscpy ( pAccountName,
TranslatedName->Name.Buffer );
+ RtlCopyMemory ( pAccountName,
TranslatedName->Name.Buffer, TranslatedName->Name.Length );
+
pAccountName[TranslatedName->Name.Length / sizeof(WCHAR)] = L'\0';
}
if ( peUse )
*peUse = TranslatedName->Use;
@@ -929,7 +929,8 @@
else
{
*pdwDomainName = dwSrcLen;
- wcscpy ( pDomainName,
ReferencedDomain->Domains[0].Name.Buffer );
+ RtlCopyMemory ( pDomainName,
ReferencedDomain->Domains[0].Name.Buffer,
ReferencedDomain->Domains[0].Name.Length );
+
pDomainName[ReferencedDomain->Domains[0].Name.Length / sizeof(WCHAR)] =
L'\0';
}
}
}