[BASESRV] Re-enable and actually fix the CsrValidateMessageBuffer() checks in BaseSrv... 3304/head
authorHermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
Sat, 17 Oct 2020 14:40:50 +0000 (16:40 +0200)
committerHermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
Fri, 30 Oct 2020 00:58:16 +0000 (01:58 +0100)
Addendum to commit 0a392b18.

The actual problem that existed all along was that the buffers being
validated with CsrValidateMessageBuffer() were not the correct ones!

What had to be checked is the string buffer **INSIDE** the UNICODE_STRING
structures! Indeed, it is these buffers that we are allocating on client side,
see https://github.com/reactos/reactos/blob/9b421af1/dll/win32/kernel32/client/dosdev.c#L324-L336

Dedicated to Pierre Schweitzer.

subsystems/win/basesrv/dosdev.c

index 958dcec..85cb0d7 100644 (file)
@@ -514,22 +514,21 @@ CSR_API(BaseSrvDefineDosDevice)
     PWSTR InterPtr;
     BOOLEAN RemoveFound;
 
-#if 0
-    /* FIXME: Check why it fails.... */
     if (!CsrValidateMessageBuffer(ApiMessage,
-                                  (PVOID*)&DefineDosDeviceRequest->DeviceName,
+                                  (PVOID*)&DefineDosDeviceRequest->DeviceName.Buffer,
                                   DefineDosDeviceRequest->DeviceName.Length,
-                                  1) ||
+                                  sizeof(BYTE)) ||
         (DefineDosDeviceRequest->DeviceName.Length & 1) != 0 ||
         !CsrValidateMessageBuffer(ApiMessage,
-                                  (PVOID*)&DefineDosDeviceRequest->TargetPath,
-                                  (DefineDosDeviceRequest->TargetPath.Length != 0 ? sizeof(UNICODE_NULL) : 0) + DefineDosDeviceRequest->TargetPath.Length,
-                                  1) ||
+                                  (PVOID*)&DefineDosDeviceRequest->TargetPath.Buffer,
+                                  DefineDosDeviceRequest->TargetPath.Length +
+                                    (DefineDosDeviceRequest->TargetPath.Length != 0
+                                        ? sizeof(UNICODE_NULL) : 0),
+                                  sizeof(BYTE)) ||
         (DefineDosDeviceRequest->TargetPath.Length & 1) != 0)
     {
         return STATUS_INVALID_PARAMETER;
     }
-#endif
 
     DPRINT("BaseSrvDefineDosDevice entered, Flags:%d, DeviceName:%wZ (%d), TargetPath:%wZ (%d)\n",
            DefineDosDeviceRequest->Flags,