[SCSIPORT]
authorRoel Messiant <roelmessiant@gmail.com>
Mon, 27 Dec 2010 10:15:36 +0000 (10:15 +0000)
committerRoel Messiant <roelmessiant@gmail.com>
Mon, 27 Dec 2010 10:15:36 +0000 (10:15 +0000)
- ScsiPortDeviceControl: Slight improvement to buffer length validation. Return failure status on a handful of failure cases. Prevents buffer overruns in user code.

svn path=/trunk/; revision=50158

reactos/drivers/storage/scsiport/scsiport.c

index 817d9de..566df4f 100644 (file)
@@ -2809,7 +2809,8 @@ ScsiPortDeviceControl(IN PDEVICE_OBJECT DeviceObject,
 {
     PIO_STACK_LOCATION Stack;
     PSCSI_PORT_DEVICE_EXTENSION DeviceExtension;
 {
     PIO_STACK_LOCATION Stack;
     PSCSI_PORT_DEVICE_EXTENSION DeviceExtension;
-    NTSTATUS Status = STATUS_SUCCESS;
+    PDUMP_POINTERS DumpPointers;
+    NTSTATUS Status;
 
     DPRINT("ScsiPortDeviceControl()\n");
 
 
     DPRINT("ScsiPortDeviceControl()\n");
 
@@ -2821,15 +2822,22 @@ ScsiPortDeviceControl(IN PDEVICE_OBJECT DeviceObject,
     switch (Stack->Parameters.DeviceIoControl.IoControlCode)
     {
       case IOCTL_SCSI_GET_DUMP_POINTERS:
     switch (Stack->Parameters.DeviceIoControl.IoControlCode)
     {
       case IOCTL_SCSI_GET_DUMP_POINTERS:
-       {
-         PDUMP_POINTERS DumpPointers;
-         DPRINT("  IOCTL_SCSI_GET_DUMP_POINTERS\n");
-         DumpPointers = (PDUMP_POINTERS)Irp->AssociatedIrp.SystemBuffer;
-         DumpPointers->DeviceObject = DeviceObject;
+        DPRINT("  IOCTL_SCSI_GET_DUMP_POINTERS\n");
 
 
-         Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
-       }
-       break;
+        if (Stack->Parameters.DeviceIoControl.OutputBufferLength < sizeof(DUMP_POINTERS))
+        {
+          Status = STATUS_BUFFER_OVERFLOW;
+          Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
+          break;
+        }
+
+        DumpPointers = Irp->AssociatedIrp.SystemBuffer;
+        DumpPointers->DeviceObject = DeviceObject;
+        /* More data.. ? */
+
+        Status = STATUS_SUCCESS;
+        Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
+        break;
 
       case IOCTL_SCSI_GET_CAPABILITIES:
         DPRINT("  IOCTL_SCSI_GET_CAPABILITIES\n");
 
       case IOCTL_SCSI_GET_CAPABILITIES:
         DPRINT("  IOCTL_SCSI_GET_CAPABILITIES\n");
@@ -2865,16 +2873,18 @@ ScsiPortDeviceControl(IN PDEVICE_OBJECT DeviceObject,
 
       case IOCTL_SCSI_MINIPORT:
           DPRINT1("IOCTL_SCSI_MINIPORT unimplemented!\n");
 
       case IOCTL_SCSI_MINIPORT:
           DPRINT1("IOCTL_SCSI_MINIPORT unimplemented!\n");
+          Status = STATUS_NOT_IMPLEMENTED;
           break;
 
       case IOCTL_SCSI_PASS_THROUGH:
           DPRINT1("IOCTL_SCSI_PASS_THROUGH unimplemented!\n");
           break;
 
       case IOCTL_SCSI_PASS_THROUGH:
           DPRINT1("IOCTL_SCSI_PASS_THROUGH unimplemented!\n");
+          Status = STATUS_NOT_IMPLEMENTED;
           break;
 
       default:
           break;
 
       default:
-       DPRINT1("  unknown ioctl code: 0x%lX\n",
-              Stack->Parameters.DeviceIoControl.IoControlCode);
-       break;
+          DPRINT1("  unknown ioctl code: 0x%lX\n", Stack->Parameters.DeviceIoControl.IoControlCode);
+          Status = STATUS_NOT_IMPLEMENTED;
+          break;
     }
 
     /* Complete the request with the given status */
     }
 
     /* Complete the request with the given status */