- Fix buffer handling in CredMarshalCredential/CredUnmarshalCredential. Fixes stack corruption during advapi32:cred
CORE-7242 #resolve
svn path=/trunk/; revision=62593
- char hash[CERT_HASH_LENGTH + 2];
-
- memcpy( hash, cert->rgbHashOfCert, sizeof(cert->rgbHashOfCert) );
- memset( hash + sizeof(cert->rgbHashOfCert), 0, sizeof(hash) - sizeof(cert->rgbHashOfCert) );
-
- size = sizeof(hash) * 4 / 3;
+ size = (sizeof(cert->rgbHashOfCert) + 2) * 4 / 3;
if (!(p = HeapAlloc( GetProcessHeap(), 0, (size + 4) * sizeof(WCHAR) ))) return FALSE;
p[0] = '@';
p[1] = '@';
p[2] = 'A' + type;
if (!(p = HeapAlloc( GetProcessHeap(), 0, (size + 4) * sizeof(WCHAR) ))) return FALSE;
p[0] = '@';
p[1] = '@';
p[2] = 'A' + type;
- len = cred_encode( (const char *)hash, sizeof(hash), p + 3 );
- p[len] = 0;
+ len = cred_encode( (const char *)cert->rgbHashOfCert, sizeof(cert->rgbHashOfCert), p + 3 );
+ p[len + 3] = 0;
break;
}
case UsernameTargetCredential:
break;
}
case UsernameTargetCredential:
buf[i + 0] = (c1 << 6) | c0;
buf[i + 1] = (c2 << 4) | (c1 >> 2);
buf[i + 0] = (c1 << 6) | c0;
buf[i + 1] = (c2 << 4) | (c1 >> 2);
if ((c1 = char_decode( p[1] )) > 63) return FALSE;
buf[i + 0] = (c1 << 6) | c0;
if ((c1 = char_decode( p[1] )) > 63) return FALSE;
buf[i + 0] = (c1 << 6) | c0;
- buf[i + 1] = c1 >> 2;
- buf[i + 2] = 0;
- if ((c0 = char_decode( p[0] )) > 63) return FALSE;
-
- buf[i + 0] = c0;
- buf[i + 1] = 0;
- buf[i + 2] = 0;
TRACE("%s, %p, %p\n", debugstr_w(cred), type, out);
TRACE("%s, %p, %p\n", debugstr_w(cred), type, out);
- if (!cred || cred[0] != '@' || cred[1] != '@' || !cred[2] || !cred[3])
+ if (!cred || cred[0] != '@' || cred[1] != '@' ||
+ char_decode( cred[2] ) > 63)
{
SetLastError( ERROR_INVALID_PARAMETER );
return FALSE;
}
len = strlenW( cred + 3 );
{
SetLastError( ERROR_INVALID_PARAMETER );
return FALSE;
}
len = strlenW( cred + 3 );
+ *type = char_decode( cred[2] );
+ switch (*type)
- char hash[CERT_HASH_LENGTH + 2];
+ char hash[CERT_HASH_LENGTH];
CERT_CREDENTIAL_INFO *cert;
if (len != 27 || !cred_decode( cred + 3, len, hash ))
CERT_CREDENTIAL_INFO *cert;
if (len != 27 || !cred_decode( cred + 3, len, hash ))
if (!(cert = HeapAlloc( GetProcessHeap(), 0, sizeof(*cert) ))) return FALSE;
memcpy( cert->rgbHashOfCert, hash, sizeof(cert->rgbHashOfCert) );
cert->cbSize = sizeof(*cert);
if (!(cert = HeapAlloc( GetProcessHeap(), 0, sizeof(*cert) ))) return FALSE;
memcpy( cert->rgbHashOfCert, hash, sizeof(cert->rgbHashOfCert) );
cert->cbSize = sizeof(*cert);
- *type = CertCredential;
*out = cert;
break;
}
case UsernameTargetCredential:
{
USERNAME_TARGET_CREDENTIAL_INFO *target;
*out = cert;
break;
}
case UsernameTargetCredential:
{
USERNAME_TARGET_CREDENTIAL_INFO *target;
if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) ||
if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) ||
- !size || size % sizeof(WCHAR) || size > INT_MAX)
+ size % sizeof(WCHAR) || len - 6 != (size * 4 + 2) / 3)
{
SetLastError( ERROR_INVALID_PARAMETER );
return FALSE;
{
SetLastError( ERROR_INVALID_PARAMETER );
return FALSE;
}
target->UserName = (WCHAR *)(target + 1);
target->UserName[size / sizeof(WCHAR)] = 0;
}
target->UserName = (WCHAR *)(target + 1);
target->UserName[size / sizeof(WCHAR)] = 0;
- *type = UsernameTargetCredential;
FIXME("BinaryBlobCredential not implemented\n");
return FALSE;
default:
FIXME("BinaryBlobCredential not implemented\n");
return FALSE;
default:
- WARN("unhandled type %u\n", cred[2] - 'A');
+ WARN("unhandled type %u\n", *type);
+ SetLastError( ERROR_INVALID_PARAMETER );
return FALSE;
}
return TRUE;
return FALSE;
}
return TRUE;
if (name && name[0] == '@' && name[1] == '@' && name[2] > 'A' && name[3])
{
if (name && name[0] == '@' && name[1] == '@' && name[2] > 'A' && name[3])
{
- char hash[CERT_HASH_LENGTH + 2];
+ char hash[CERT_HASH_LENGTH];
int len = strlenW(name + 3 );
DWORD size;
int len = strlenW(name + 3 );
DWORD size;
projects / reactos.git / commitdiff