[ros-diffs] [reactos] 01/01: [BASESRV] Re-enable and actually fix the CsrValidateMessageBuffer() checks in BaseSrvDefineDosDevice(). (#3304)

30 Oct 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=731eddfe40a0ae641a6a4b...
commit 731eddfe40a0ae641a6a4b99273a9564a5b4ddc0
Author:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
AuthorDate: Sat Oct 17 16:40:50 2020 +0200
Commit:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
CommitDate: Fri Oct 30 01:58:16 2020 +0100
[BASESRV] Re-enable and actually fix the CsrValidateMessageBuffer() checks in BaseSrvDefineDosDevice(). (#3304)
Addendum to commit 0a392b18.
The actual problem that existed all along was that the buffers being
    validated with CsrValidateMessageBuffer() were not the correct ones!
What had to be checked is the string buffer **INSIDE** the UNICODE_STRING
    structures! Indeed, it is these buffers that we are allocating on client side,
    see https://github.com/reactos/reactos/blob/9b421af1/dll/win32/kernel32/client/d...
Dedicated to Pierre Schweitzer.
---
 subsystems/win/basesrv/dosdev.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/subsystems/win/basesrv/dosdev.c b/subsystems/win/basesrv/dosdev.c
index 958dceca8ee..85cb0d79b57 100644
--- a/subsystems/win/basesrv/dosdev.c
+++ b/subsystems/win/basesrv/dosdev.c
@@ -514,22 +514,21 @@ CSR_API(BaseSrvDefineDosDevice)
     PWSTR InterPtr;
     BOOLEAN RemoveFound;
-#if 0
-    /* FIXME: Check why it fails.... */
     if (!CsrValidateMessageBuffer(ApiMessage,
-                                  (PVOID*)&DefineDosDeviceRequest->DeviceName,
+                                  (PVOID*)&DefineDosDeviceRequest->DeviceName.Buffer,
                                   DefineDosDeviceRequest->DeviceName.Length,
-                                  1) ||
+                                  sizeof(BYTE)) ||
         (DefineDosDeviceRequest->DeviceName.Length & 1) != 0 ||
         !CsrValidateMessageBuffer(ApiMessage,
-                                  (PVOID*)&DefineDosDeviceRequest->TargetPath,
-                                  (DefineDosDeviceRequest->TargetPath.Length != 0 ? sizeof(UNICODE_NULL) : 0) + DefineDosDeviceRequest->TargetPath.Length,
-                                  1) ||
+                                  (PVOID*)&DefineDosDeviceRequest->TargetPath.Buffer,
+                                  DefineDosDeviceRequest->TargetPath.Length +
+                                    (DefineDosDeviceRequest->TargetPath.Length != 0
+                                        ? sizeof(UNICODE_NULL) : 0),
+                                  sizeof(BYTE)) ||
         (DefineDosDeviceRequest->TargetPath.Length & 1) != 0)
     {
         return STATUS_INVALID_PARAMETER;
     }
-#endif
DPRINT("BaseSrvDefineDosDevice entered, Flags:%d, DeviceName:%wZ (%d), TargetPath:%wZ (%d)\n",
            DefineDosDeviceRequest->Flags,

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [reactos] 01/01: [BASESRV] Re-enable and actually fix the CsrValidateMessageBuffer() checks in BaseSrvDefineDosDevice(). (#3304)