From 6fe37f35bfdf58fcef4bc23154db11f7db56b43c Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Sat, 30 Jan 2016 00:30:25 +0900
Subject: [PATCH] ntdll: Add tests for the length of the object attributes
 structure.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/ntdll/reg.c        |  1 -
 dlls/ntdll/sync.c       |  4 ++-
 dlls/ntdll/tests/file.c | 19 -------------
 dlls/ntdll/tests/om.c   | 60 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 21 deletions(-)

diff --git a/dlls/ntdll/reg.c b/dlls/ntdll/reg.c
index bf786f48b80..77126de88c1 100644
--- a/dlls/ntdll/reg.c
+++ b/dlls/ntdll/reg.c
@@ -129,7 +129,6 @@ NTSTATUS WINAPI NtOpenKeyEx( PHANDLE retkey, ACCESS_MASK access, const OBJECT_AT
     NTSTATUS ret;
 
     if (!retkey || !attr || !attr->ObjectName) return STATUS_ACCESS_VIOLATION;
-    if (attr->Length > sizeof(OBJECT_ATTRIBUTES)) return STATUS_INVALID_PARAMETER;
     if ((ret = validate_open_object_attributes( attr ))) return ret;
 
     TRACE( "(%p,%s,%x,%p)\n", attr->RootDirectory,
diff --git a/dlls/ntdll/sync.c b/dlls/ntdll/sync.c
index aa58442700d..c88221eda06 100644
--- a/dlls/ntdll/sync.c
+++ b/dlls/ntdll/sync.c
@@ -88,6 +88,8 @@ NTSTATUS alloc_object_attributes( const OBJECT_ATTRIBUTES *attr, struct object_a
 
     if (!attr) return STATUS_SUCCESS;
 
+    if (attr->Length != sizeof(*attr)) return STATUS_INVALID_PARAMETER;
+
     if ((sd = attr->SecurityDescriptor))
     {
         len += sizeof(struct security_descriptor);
@@ -153,7 +155,7 @@ NTSTATUS alloc_object_attributes( const OBJECT_ATTRIBUTES *attr, struct object_a
 
 NTSTATUS validate_open_object_attributes( const OBJECT_ATTRIBUTES *attr )
 {
-    if (!attr) return STATUS_INVALID_PARAMETER;
+    if (!attr || attr->Length != sizeof(*attr)) return STATUS_INVALID_PARAMETER;
 
     if (attr->ObjectName)
     {
diff --git a/dlls/ntdll/tests/file.c b/dlls/ntdll/tests/file.c
index 71e1d7a326c..649b6b48e53 100644
--- a/dlls/ntdll/tests/file.c
+++ b/dlls/ntdll/tests/file.c
@@ -1138,25 +1138,6 @@ static void nt_mailslot_test(void)
 
     if  ( rc == STATUS_SUCCESS ) pNtClose(hslot);
 
-    /*
-     * Test that the length field is checked properly
-     */
-    attr.Length = 0;
-    rc = pNtCreateMailslotFile(&hslot, DesiredAccess,
-         &attr, &IoStatusBlock, CreateOptions, MailslotQuota, MaxMessageSize,
-         &TimeOut);
-    todo_wine ok( rc == STATUS_INVALID_PARAMETER, "rc = %x not c000000d STATUS_INVALID_PARAMETER\n", rc);
-
-    if  (rc == STATUS_SUCCESS) pNtClose(hslot);
-
-    attr.Length = sizeof(OBJECT_ATTRIBUTES)+1;
-    rc = pNtCreateMailslotFile(&hslot, DesiredAccess,
-         &attr, &IoStatusBlock, CreateOptions, MailslotQuota, MaxMessageSize,
-         &TimeOut);
-    todo_wine ok( rc == STATUS_INVALID_PARAMETER, "rc = %x not c000000d STATUS_INVALID_PARAMETER\n", rc);
-
-    if  (rc == STATUS_SUCCESS) pNtClose(hslot);
-
     /*
      * Test a valid call
      */
diff --git a/dlls/ntdll/tests/om.c b/dlls/ntdll/tests/om.c
index ebf09ec3ce7..c6794cca733 100644
--- a/dlls/ntdll/tests/om.c
+++ b/dlls/ntdll/tests/om.c
@@ -587,6 +587,16 @@ static void test_name_limits(void)
     str.Length = 67;
     test_all_kernel_objects( __LINE__, &attr2, STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_INVALID );
 
+    str.Length = 128;
+    for (attr.Length = 0; attr.Length <= 2 * sizeof(attr); attr.Length++)
+    {
+        if (attr.Length == sizeof(attr))
+            test_all_kernel_objects( __LINE__, &attr, STATUS_SUCCESS, STATUS_SUCCESS );
+        else
+            test_all_kernel_objects( __LINE__, &attr, STATUS_INVALID_PARAMETER, STATUS_INVALID_PARAMETER );
+    }
+    attr.Length = sizeof(attr);
+
     str.Length = 65532;
     test_all_kernel_objects( __LINE__, &attr, STATUS_SUCCESS, STATUS_SUCCESS );
 
@@ -719,6 +729,20 @@ static void test_name_limits(void)
     status = pNtCreateNamedPipeFile( &ret, GENERIC_ALL, &attr2, &iosb, FILE_SHARE_READ|FILE_SHARE_WRITE,
                                      FILE_CREATE, FILE_PIPE_FULL_DUPLEX, 0, 0, 0, 1, 256, 256, &timeout );
     ok( status == STATUS_OBJECT_NAME_INVALID, "%u: NtCreateNamedPipeFile failed %x\n", str.Length, status );
+    str.Length = 128;
+    for (attr.Length = 0; attr.Length <= 2 * sizeof(attr); attr.Length++)
+    {
+        status = pNtCreateNamedPipeFile( &ret, GENERIC_ALL, &attr, &iosb, FILE_SHARE_READ|FILE_SHARE_WRITE,
+                                      FILE_CREATE, FILE_PIPE_FULL_DUPLEX, 0, 0, 0, 1, 256, 256, &timeout );
+        if (attr.Length == sizeof(attr))
+        {
+            ok( status == STATUS_SUCCESS, "%u: NtCreateNamedPipeFile failed %x\n", str.Length, status );
+            pNtClose( ret );
+        }
+        else ok( status == STATUS_INVALID_PARAMETER,
+                 "%u: NtCreateNamedPipeFile failed %x\n", str.Length, status );
+    }
+    attr.Length = sizeof(attr);
     str.Length = 65532;
     status = pNtCreateNamedPipeFile( &ret, GENERIC_ALL, &attr, &iosb, FILE_SHARE_READ|FILE_SHARE_WRITE,
                                      FILE_CREATE, FILE_PIPE_FULL_DUPLEX, 0, 0, 0, 1, 256, 256, &timeout );
@@ -754,6 +778,19 @@ static void test_name_limits(void)
     str.Length = 67;
     status = pNtCreateMailslotFile( &ret, GENERIC_ALL, &attr2, &iosb, 0, 0, 0, NULL );
     ok( status == STATUS_OBJECT_NAME_INVALID, "%u: NtCreateMailslotFile failed %x\n", str.Length, status );
+    str.Length = 128;
+    for (attr.Length = 0; attr.Length <= 2 * sizeof(attr); attr.Length++)
+    {
+        status = pNtCreateMailslotFile( &ret, GENERIC_ALL, &attr, &iosb, 0, 0, 0, NULL );
+        if (attr.Length == sizeof(attr))
+        {
+            ok( status == STATUS_SUCCESS, "%u: NtCreateMailslotFile failed %x\n", str.Length, status );
+            pNtClose( ret );
+        }
+        else ok( status == STATUS_INVALID_PARAMETER,
+                 "%u: NtCreateMailslotFile failed %x\n", str.Length, status );
+    }
+    attr.Length = sizeof(attr);
     str.Length = 65532;
     status = pNtCreateMailslotFile( &ret, GENERIC_ALL, &attr, &iosb, 0, 0, 0, NULL );
     ok( status == STATUS_SUCCESS, "%u: NtCreateMailslotFile failed %x\n", str.Length, status );
@@ -810,6 +847,29 @@ static void test_name_limits(void)
         pNtClose( ret2 );
         pNtDeleteKey( ret );
         pNtClose( ret );
+
+        str.Length = sizeof(registryW) + 256 * sizeof(WCHAR);
+        for (attr.Length = 0; attr.Length <= 2 * sizeof(attr); attr.Length++)
+        {
+            if (attr.Length == sizeof(attr))
+            {
+                status = pNtCreateKey( &ret, GENERIC_ALL, &attr, 0, NULL, 0, NULL );
+                ok( status == STATUS_SUCCESS, "%u: NtCreateKey failed %x\n", str.Length, status );
+                status = pNtOpenKey( &ret2, KEY_READ, &attr );
+                ok( status == STATUS_SUCCESS, "%u: NtOpenKey failed %x\n", str.Length, status );
+                pNtClose( ret2 );
+                pNtDeleteKey( ret );
+                pNtClose( ret );
+            }
+            else
+            {
+                status = pNtCreateKey( &ret, GENERIC_ALL, &attr, 0, NULL, 0, NULL );
+                ok( status == STATUS_INVALID_PARAMETER, "%u: NtCreateKey failed %x\n", str.Length, status );
+                status = pNtOpenKey( &ret2, KEY_READ, &attr );
+                ok( status == STATUS_INVALID_PARAMETER, "%u: NtOpenKey failed %x\n", str.Length, status );
+            }
+        }
+        attr.Length = sizeof(attr);
     }
     str.Length = sizeof(registryW) + 256 * sizeof(WCHAR) + 1;
     status = pNtCreateKey( &ret, GENERIC_ALL, &attr, 0, NULL, 0, NULL );