[rmessiant] 50158: [SCSIPORT] - ScsiPortDeviceControl: Slight improvement to buffer length validation. Return failure status on a handful of failure cases. Prevents buffer overruns in user code. - Ros-diffs

27 Dec 2010

Author: rmessiant
Date: Mon Dec 27 10:15:36 2010
New Revision: 50158
URL: http://svn.reactos.org/svn/reactos?rev=50158&view=rev
Log:
[SCSIPORT]
- ScsiPortDeviceControl: Slight improvement to buffer length validation. Return failure status on a handful of failure cases. Prevents buffer overruns in user code.
Modified:
    trunk/reactos/drivers/storage/scsiport/scsiport.c
Modified: trunk/reactos/drivers/storage/scsiport/scsiport.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/storage/scsiport/sc...
==============================================================================

--- trunk/reactos/drivers/storage/scsiport/scsiport.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/storage/scsiport/scsiport.c [iso-8859-1] Mon Dec 27 10:15:36 2010
@@ -2809,7 +2809,8 @@
 {
     PIO_STACK_LOCATION Stack;
     PSCSI_PORT_DEVICE_EXTENSION DeviceExtension;
-    NTSTATUS Status = STATUS_SUCCESS;
+    PDUMP_POINTERS DumpPointers;
+    NTSTATUS Status;
DPRINT("ScsiPortDeviceControl()\n");
@@ -2821,15 +2822,22 @@
     switch (Stack->Parameters.DeviceIoControl.IoControlCode)
     {
       case IOCTL_SCSI_GET_DUMP_POINTERS:
-	{
-	  PDUMP_POINTERS DumpPointers;
-	  DPRINT("  IOCTL_SCSI_GET_DUMP_POINTERS\n");
-	  DumpPointers = (PDUMP_POINTERS)Irp->AssociatedIrp.SystemBuffer;
-	  DumpPointers->DeviceObject = DeviceObject;
-
-	  Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
-	}
-	break;
+        DPRINT("  IOCTL_SCSI_GET_DUMP_POINTERS\n");
+
+        if (Stack->Parameters.DeviceIoControl.OutputBufferLength < sizeof(DUMP_POINTERS))
+        {
+          Status = STATUS_BUFFER_OVERFLOW;
+          Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
+          break;
+        }
+
+        DumpPointers = Irp->AssociatedIrp.SystemBuffer;
+        DumpPointers->DeviceObject = DeviceObject;
+        /* More data.. ? */
+
+        Status = STATUS_SUCCESS;
+        Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
+        break;
case IOCTL_SCSI_GET_CAPABILITIES:
         DPRINT("  IOCTL_SCSI_GET_CAPABILITIES\n");
@@ -2865,16 +2873,18 @@
case IOCTL_SCSI_MINIPORT:
           DPRINT1("IOCTL_SCSI_MINIPORT unimplemented!\n");
+          Status = STATUS_NOT_IMPLEMENTED;
           break;
case IOCTL_SCSI_PASS_THROUGH:
           DPRINT1("IOCTL_SCSI_PASS_THROUGH unimplemented!\n");
+          Status = STATUS_NOT_IMPLEMENTED;
           break;
default:
-	DPRINT1("  unknown ioctl code: 0x%lX\n",
-	       Stack->Parameters.DeviceIoControl.IoControlCode);
-	break;
+          DPRINT1("  unknown ioctl code: 0x%lX\n", Stack->Parameters.DeviceIoControl.IoControlCode);
+          Status = STATUS_NOT_IMPLEMENTED;
+          break;
     }
/* Complete the request with the given status */

    