[tfaber] 53962: [MSAFD] - Correctly handle an arbitrarily large sockaddr in WSPConnect. Fixes mIRC 7.1x crash on connect See issue #6005 for more details. - Ros-diffs

3 Oct 2011

Author: tfaber
Date: Mon Oct  3 15:23:51 2011
New Revision: 53962
URL: http://svn.reactos.org/svn/reactos?rev=53962&view=rev
Log:
[MSAFD]
- Correctly handle an arbitrarily large sockaddr in WSPConnect. Fixes mIRC 7.1x crash on connect
See issue #6005 for more details.
Modified:
    trunk/reactos/dll/win32/msafd/misc/dllmain.c
Modified: trunk/reactos/dll/win32/msafd/misc/dllmain.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msafd/misc/dllmai...
==============================================================================

--- trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] Mon Oct  3 15:23:51 2011
@@ -1431,16 +1431,16 @@
            LPINT lpErrno)
 {
     IO_STATUS_BLOCK         IOSB;
-    PAFD_CONNECT_INFO       ConnectInfo;
-    PSOCKET_INFORMATION     Socket = NULL;
+    PAFD_CONNECT_INFO       ConnectInfo = NULL;
+    PSOCKET_INFORMATION     Socket;
     NTSTATUS                Status;
     INT                     Errno;
-    UCHAR                   ConnectBuffer[0x22];
     ULONG                   ConnectDataLength;
     ULONG                   InConnectDataLength;
     INT                     BindAddressLength;
     PSOCKADDR               BindAddress;
     HANDLE                  SockEvent;
+    int                     SocketDataLength;
Status = NtCreateEvent(&SockEvent,
                            GENERIC_READ | GENERIC_WRITE,
@@ -1506,16 +1506,26 @@
             goto notify;
     }
-    /* Dynamic Structure...ugh */
-    ConnectInfo = (PAFD_CONNECT_INFO)ConnectBuffer;
+    /* Calculate the size of SocketAddress->sa_data */
+    SocketDataLength = SocketAddressLength - FIELD_OFFSET(struct sockaddr, sa_data);
+
+    /* Allocate a connection info buffer with SocketDataLength bytes of payload */
+    ConnectInfo = HeapAlloc(GetProcessHeap(), 0,
+                            FIELD_OFFSET(AFD_CONNECT_INFO,
+                                         RemoteAddress.Address[0].Address[SocketDataLength]));
+    if (!ConnectInfo)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto notify;
+    }
/* Set up Address in TDI Format */
     ConnectInfo->RemoteAddress.TAAddressCount = 1;
-    ConnectInfo->RemoteAddress.Address[0].AddressLength = SocketAddressLength - sizeof(SocketAddress->sa_family);
+    ConnectInfo->RemoteAddress.Address[0].AddressLength = SocketDataLength;
     ConnectInfo->RemoteAddress.Address[0].AddressType = SocketAddress->sa_family;
-    RtlCopyMemory (ConnectInfo->RemoteAddress.Address[0].Address,
-                   SocketAddress->sa_data,
-                   SocketAddressLength - sizeof(SocketAddress->sa_family));
+    RtlCopyMemory(ConnectInfo->RemoteAddress.Address[0].Address,
+                  SocketAddress->sa_data,
+                  SocketDataLength);
/*
     * Disable FD_WRITE and FD_CONNECT
@@ -1613,6 +1623,8 @@
     AFD_DbgPrint(MID_TRACE,("Ending\n"));
notify:
+    if (ConnectInfo) HeapFree(GetProcessHeap(), 0, ConnectInfo);
+
     /* Re-enable Async Event */
     SockReenableAsyncSelectEvent(Socket, FD_WRITE);

    