From f98556c119d3f55ba26f4e737db8766b8dfd13c4 Mon Sep 17 00:00:00 2001 From: Rob Shearman Date: Fri, 26 Oct 2007 17:01:33 +0100 Subject: [PATCH] server: Add the name length to the object_attributes structure so that other variable length data can be present after object_attributes. --- dlls/ntdll/sync.c | 3 +++ dlls/ntdll/virtual.c | 1 + server/event.c | 5 +---- server/mapping.c | 5 +---- server/mutex.c | 5 +---- server/protocol.def | 1 + server/security.h | 5 +++++ server/semaphore.c | 4 +--- server/token.c | 3 ++- server/trace.c | 12 +++++++----- 10 files changed, 23 insertions(+), 21 deletions(-) diff --git a/dlls/ntdll/sync.c b/dlls/ntdll/sync.c index 191cd0763df..47c846108a9 100644 --- a/dlls/ntdll/sync.c +++ b/dlls/ntdll/sync.c @@ -154,6 +154,7 @@ NTSTATUS WINAPI NtCreateSemaphore( OUT PHANDLE SemaphoreHandle, objattr.rootdir = attr ? attr->RootDirectory : 0; objattr.sd_len = 0; + objattr.name_len = len; if (attr) { ret = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len ); @@ -262,6 +263,7 @@ NTSTATUS WINAPI NtCreateEvent( objattr.rootdir = attr ? attr->RootDirectory : 0; objattr.sd_len = 0; + objattr.name_len = len; if (attr) { ret = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len ); @@ -425,6 +427,7 @@ NTSTATUS WINAPI NtCreateMutant(OUT HANDLE* MutantHandle, objattr.rootdir = attr ? attr->RootDirectory : 0; objattr.sd_len = 0; + objattr.name_len = len; if (attr) { status = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len ); diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c index 2c08a16a4ab..684fa5db75f 100644 --- a/dlls/ntdll/virtual.c +++ b/dlls/ntdll/virtual.c @@ -1864,6 +1864,7 @@ NTSTATUS WINAPI NtCreateSection( HANDLE *handle, ACCESS_MASK access, const OBJEC objattr.rootdir = attr ? attr->RootDirectory : 0; objattr.sd_len = 0; + objattr.name_len = len; if (attr) { ret = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len ); diff --git a/server/event.c b/server/event.c index f8662115612..99d0f4b2182 100644 --- a/server/event.c +++ b/server/event.c @@ -180,10 +180,7 @@ DECL_HANDLER(create_event) return; sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL; - - /* get unicode string */ - name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR); - name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); + objattr_get_name( objattr, &name ); if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 ))) return; diff --git a/server/mapping.c b/server/mapping.c index 8f1bf5c1e0b..bd21a501bac 100644 --- a/server/mapping.c +++ b/server/mapping.c @@ -408,10 +408,7 @@ DECL_HANDLER(create_mapping) return; sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL; - - /* get unicode string */ - name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR); - name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); + objattr_get_name( objattr, &name ); if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 ))) return; diff --git a/server/mutex.c b/server/mutex.c index 7064c6fda4f..979f21f0d7d 100644 --- a/server/mutex.c +++ b/server/mutex.c @@ -205,10 +205,7 @@ DECL_HANDLER(create_mutex) return; sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL; - - /* get unicode string */ - name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR); - name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); + objattr_get_name( objattr, &name ); if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 ))) return; diff --git a/server/protocol.def b/server/protocol.def index d336af6b4c0..1ecc886b02b 100644 --- a/server/protocol.def +++ b/server/protocol.def @@ -237,6 +237,7 @@ struct object_attributes { obj_handle_t rootdir; /* root directory */ data_size_t sd_len; /* length of security_descriptor data. may be 0 */ + data_size_t name_len; /* length of the name string. may be 0 */ /* VARARG(sd,security_descriptor); */ /* VARARG(name,unicode_str); */ }; diff --git a/server/security.h b/server/security.h index 50fba525571..ebdf95f99c0 100644 --- a/server/security.h +++ b/server/security.h @@ -131,3 +131,8 @@ static inline const SID *sd_get_group( const struct security_descriptor *sd ) /* determines whether an object_attributes struct is valid in a buffer * and calls set_error appropriately */ extern int objattr_is_valid( const struct object_attributes *objattr, data_size_t size ); +static inline void objattr_get_name( const struct object_attributes *objattr, struct unicode_str *name ) +{ + name->len = ((objattr->name_len) / sizeof(WCHAR)) * sizeof(WCHAR); + name->str = (const WCHAR *)objattr + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); +} diff --git a/server/semaphore.c b/server/semaphore.c index a8318cd95de..09445e1a64c 100644 --- a/server/semaphore.c +++ b/server/semaphore.c @@ -180,10 +180,8 @@ DECL_HANDLER(create_semaphore) return; sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL; + objattr_get_name( objattr, &name ); - /* get unicode string */ - name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR); - name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 ))) return; diff --git a/server/token.c b/server/token.c index 665ed48c032..93696d9d8ea 100644 --- a/server/token.c +++ b/server/token.c @@ -309,7 +309,8 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size ) * and calls set_error appropriately */ int objattr_is_valid( const struct object_attributes *objattr, data_size_t size ) { - if ((size < sizeof(*objattr)) || (size - sizeof(*objattr) < objattr->sd_len)) + if ((size < sizeof(*objattr)) || (size - sizeof(*objattr) < objattr->sd_len) || + (size - sizeof(*objattr) - objattr->sd_len < objattr->name_len)) { set_error( STATUS_ACCESS_VIOLATION ); return FALSE; diff --git a/server/trace.c b/server/trace.c index 30d6efd5e12..0f0e17d7ccf 100644 --- a/server/trace.c +++ b/server/trace.c @@ -790,14 +790,16 @@ static void dump_varargs_object_attributes( data_size_t size ) { const WCHAR *str; fprintf( stderr, "rootdir=%p,sd=", objattr->rootdir ); - if (objattr->sd_len > size - sizeof(*objattr)) return; + if (objattr->sd_len > size - sizeof(*objattr) || + objattr->name_len > size - sizeof(*objattr) - objattr->sd_len) + return; dump_inline_security_descriptor( (const struct security_descriptor *)(objattr + 1), objattr->sd_len ); - str = (const WCHAR *)cur_data + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); + str = (const WCHAR *)objattr + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); fprintf( stderr, ",name=L\"" ); - dump_strW( str, (size - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR), - stderr, "\"\"" ); + dump_strW( str, objattr->name_len / sizeof(WCHAR), stderr, "\"\"" ); fputc( '\"', stderr ); - remove_data( size ); + remove_data( ((sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR) + + objattr->name_len ); } fputc( '}', stderr ); }