From 17ebac8482e45de9fe431ab35d8036edf7178765 Mon Sep 17 00:00:00 2001 From: Zebediah Figura Date: Mon, 30 Aug 2021 22:25:57 -0500 Subject: [PATCH] mountmgr: Validate the output size for IOCTL_MOUNTMGR_QUERY_POINTS. Signed-off-by: Zebediah Figura Signed-off-by: Alexandre Julliard --- dlls/kernel32/tests/volume.c | 6 +++--- dlls/mountmgr.sys/mountmgr.c | 12 ++++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/dlls/kernel32/tests/volume.c b/dlls/kernel32/tests/volume.c index 1670ab69222..4915e744eba 100644 --- a/dlls/kernel32/tests/volume.c +++ b/dlls/kernel32/tests/volume.c @@ -1658,7 +1658,7 @@ static void test_mountmgr_query_points(void) io.Information = 0xdeadf00d; status = NtDeviceIoControlFile( file, NULL, NULL, NULL, &io, IOCTL_MOUNTMGR_QUERY_POINTS, input, sizeof(*input), NULL, 0 ); - todo_wine ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status); + ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status); todo_wine ok(io.Status == 0xdeadf00d, "got status %#x\n", io.Status); todo_wine ok(io.Information == 0xdeadf00d, "got information %#Ix\n", io.Information); @@ -1667,10 +1667,10 @@ static void test_mountmgr_query_points(void) memset(output, 0xcc, sizeof(*output)); status = NtDeviceIoControlFile( file, NULL, NULL, NULL, &io, IOCTL_MOUNTMGR_QUERY_POINTS, input, sizeof(*input), output, sizeof(*output) - 1 ); - todo_wine ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status); + ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status); todo_wine ok(io.Status == 0xdeadf00d, "got status %#x\n", io.Status); todo_wine ok(io.Information == 0xdeadf00d, "got information %#Ix\n", io.Information); - todo_wine ok(output->Size == 0xcccccccc, "got size %u\n", output->Size); + ok(output->Size == 0xcccccccc, "got size %u\n", output->Size); ok(output->NumberOfMountPoints == 0xcccccccc, "got count %u\n", output->NumberOfMountPoints); io.Status = 0xdeadf00d; diff --git a/dlls/mountmgr.sys/mountmgr.c b/dlls/mountmgr.sys/mountmgr.c index 50be9eb740f..a61140d847e 100644 --- a/dlls/mountmgr.sys/mountmgr.c +++ b/dlls/mountmgr.sys/mountmgr.c @@ -168,8 +168,9 @@ static NTSTATUS query_mount_points( void *buff, SIZE_T insize, MOUNTMGR_MOUNT_POINTS *info; struct mount_point *mount; - /* sanity checks */ - if (input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength > insize || + if (insize < sizeof(*input) || + outsize < sizeof(*info) || + input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength > insize || input->UniqueIdOffset + input->UniqueIdLength > insize || input->DeviceNameOffset + input->DeviceNameLength > insize || input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength < input->SymbolicLinkNameOffset || @@ -193,7 +194,7 @@ static NTSTATUS query_mount_points( void *buff, SIZE_T insize, if (size > outsize) { info = buff; - if (size >= sizeof(info->Size)) info->Size = size; + info->Size = size; iosb->Information = sizeof(info->Size); return STATUS_MORE_ENTRIES; } @@ -907,11 +908,6 @@ static NTSTATUS WINAPI mountmgr_ioctl( DEVICE_OBJECT *device, IRP *irp ) switch(irpsp->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_MOUNTMGR_QUERY_POINTS: - if (irpsp->Parameters.DeviceIoControl.InputBufferLength < sizeof(MOUNTMGR_MOUNT_POINT)) - { - status = STATUS_INVALID_PARAMETER; - break; - } status = query_mount_points( irp->AssociatedIrp.SystemBuffer, irpsp->Parameters.DeviceIoControl.InputBufferLength, irpsp->Parameters.DeviceIoControl.OutputBufferLength,