[reactos] 04/04: [LSASRV] Add parameter validation in LsapSetLogonSessionData(). - Ros-diffs

2 Jan 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=cf7981fe4e5c2cbdf62d93...
commit cf7981fe4e5c2cbdf62d93b6132085a3ad383881
Author:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
AuthorDate: Tue Jun 18 02:27:47 2019 +0200
Commit:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
CommitDate: Thu Jan 2 22:17:03 2020 +0100
[LSASRV] Add parameter validation in LsapSetLogonSessionData().
---
 dll/win32/lsasrv/session.c | 64 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 52 insertions(+), 12 deletions(-)

diff --git a/dll/win32/lsasrv/session.c b/dll/win32/lsasrv/session.c
index 2cc37bdc518..69775dba982 100644
--- a/dll/win32/lsasrv/session.c
+++ b/dll/win32/lsasrv/session.c
@@ -71,6 +71,7 @@ LsapSetLogonSessionData(
     _In_ PUNICODE_STRING LogonDomain,
     _In_ PSID Sid)
 {
+    NTSTATUS Status;
     PLSAP_LOGON_SESSION Session;
     ULONG Length;
@@ -83,8 +84,15 @@ LsapSetLogonSessionData(
     TRACE("LogonType %lu\n", LogonType);
     Session->LogonType = LogonType;
+    Status = RtlValidateUnicodeString(0, UserName);
+    if (!NT_SUCCESS(Status))
+        return STATUS_INVALID_PARAMETER;
+
+    /* UserName is mandatory and cannot be an empty string */
     TRACE("UserName %wZ\n", UserName);
-    Session->UserName.Buffer = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, UserName->MaximumLength);
+    Session->UserName.Buffer = RtlAllocateHeap(RtlGetProcessHeap(),
+                                               HEAP_ZERO_MEMORY,
+                                               UserName->MaximumLength);
     if (Session->UserName.Buffer == NULL)
         return STATUS_INSUFFICIENT_RESOURCES;
@@ -92,19 +100,53 @@ LsapSetLogonSessionData(
     Session->UserName.MaximumLength = UserName->MaximumLength;
     RtlCopyMemory(Session->UserName.Buffer, UserName->Buffer, UserName->MaximumLength);
-    TRACE("LogonDomain %wZ\n", LogonDomain);
-    Session->LogonDomain.Buffer = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, LogonDomain->MaximumLength);
-    if (Session->LogonDomain.Buffer == NULL)
-        return STATUS_INSUFFICIENT_RESOURCES;
+    Status = RtlValidateUnicodeString(0, LogonDomain);
+    if (!NT_SUCCESS(Status))
+    {
+        /* Cleanup and fail */
+        if (Session->UserName.Buffer != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, Session->UserName.Buffer);
-    Session->LogonDomain.Length = LogonDomain->Length;
-    Session->LogonDomain.MaximumLength = LogonDomain->MaximumLength;
-    RtlCopyMemory(Session->LogonDomain.Buffer, LogonDomain->Buffer, LogonDomain->MaximumLength);
+        return STATUS_INVALID_PARAMETER;
+    }
+
+    /* LogonDomain is optional and can be an empty string */
+    TRACE("LogonDomain %wZ\n", LogonDomain);
+    if (LogonDomain->Length)
+    {
+        Session->LogonDomain.Buffer = RtlAllocateHeap(RtlGetProcessHeap(),
+                                                      HEAP_ZERO_MEMORY,
+                                                      LogonDomain->MaximumLength);
+        if (Session->LogonDomain.Buffer == NULL)
+        {
+            /* Cleanup and fail */
+            if (Session->UserName.Buffer != NULL)
+                RtlFreeHeap(RtlGetProcessHeap(), 0, Session->UserName.Buffer);
+
+            return STATUS_INSUFFICIENT_RESOURCES;
+        }
+
+        Session->LogonDomain.Length = LogonDomain->Length;
+        Session->LogonDomain.MaximumLength = LogonDomain->MaximumLength;
+        RtlCopyMemory(Session->LogonDomain.Buffer, LogonDomain->Buffer, LogonDomain->MaximumLength);
+    }
+    else
+    {
+        RtlInitEmptyUnicodeString(&Session->LogonDomain, NULL, 0);
+    }
Length = RtlLengthSid(Sid);
     Session->Sid = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length);
-    if (Session->UserName.Buffer == NULL)
+    if (Session->Sid == NULL)
+    {
+        /* Cleanup and fail */
+        if (Session->LogonDomain.Buffer != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, Session->LogonDomain.Buffer);
+        if (Session->UserName.Buffer != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, Session->UserName.Buffer);
+
         return STATUS_INSUFFICIENT_RESOURCES;
+    }
RtlCopyMemory(Session->Sid, Sid, Length);
@@ -397,10 +439,9 @@ LsapGetLogonSessionData(IN OUT PLSA_API_MSG RequestMsg)
     RtlCopyLuid(&LocalSessionData->LogonId,
                 &RequestMsg->GetLogonSessionData.Request.LogonId);
-    /* Copy the UserName string*/
+    /* Copy the UserName string */
     LocalSessionData->UserName.Length = Session->UserName.Length;
     LocalSessionData->UserName.MaximumLength = Session->UserName.MaximumLength;
-
     if (Session->UserName.MaximumLength != 0)
     {
         RtlCopyMemory(Ptr, Session->UserName.Buffer, Session->UserName.MaximumLength);
@@ -479,7 +520,6 @@ LsapGetLogonSessionData(IN OUT PLSA_API_MSG RequestMsg)
         Ptr = (PUCHAR)((ULONG_PTR)Ptr + Session->Upn.MaximumLength);
     }
-
     InitializeObjectAttributes(&ObjectAttributes,
                                NULL,
                                0,

    