From: Thomas Faber Date: Sat, 22 Sep 2012 09:48:27 +0000 (+0000) Subject: [NPFS] X-Git-Tag: backups/ros-csrss@57560~186 X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=c721fa52d8e59638716ece2d69019cdb90b506d0;ds=sidebyside [NPFS] - Do not fail for a valid buffer size in NpfsPeekPipe - Do not read from an output buffer in NpfsPeekPipe svn path=/trunk/; revision=57362 --- diff --git a/reactos/drivers/filesystems/npfs/fsctrl.c b/reactos/drivers/filesystems/npfs/fsctrl.c index e382c590b7c..a7eca3f1c36 100644 --- a/reactos/drivers/filesystems/npfs/fsctrl.c +++ b/reactos/drivers/filesystems/npfs/fsctrl.c @@ -581,14 +581,14 @@ NpfsPeekPipe(PIRP Irp, DPRINT("OutputBufferLength: %lu\n", OutputBufferLength); /* Validate parameters */ - if (OutputBufferLength < sizeof(FILE_PIPE_PEEK_BUFFER)) + if (OutputBufferLength < FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0])) { DPRINT1("Buffer too small\n"); return STATUS_INVALID_PARAMETER; } Ccb = IoStack->FileObject->FsContext2; - Reply = (PFILE_PIPE_PEEK_BUFFER)Irp->AssociatedIrp.SystemBuffer; + Reply = Irp->AssociatedIrp.SystemBuffer; //Fcb = Ccb->Fcb; @@ -604,46 +604,49 @@ NpfsPeekPipe(PIRP Irp, { DPRINT("Byte Stream Mode\n"); Reply->MessageLength = Ccb->ReadDataAvailable; - DPRINT("Reply->MessageLength %lu\n",Reply->MessageLength ); + DPRINT("Reply->MessageLength %lu\n", Reply->MessageLength); MessageCount = 1; - if (Reply->Data[0] && (OutputBufferLength >= Ccb->ReadDataAvailable + FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0]))) + if (OutputBufferLength >= FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[Ccb->ReadDataAvailable])) { + RtlCopyMemory(Reply->Data, BufferPtr, Ccb->ReadDataAvailable); ReturnLength = Ccb->ReadDataAvailable; - memcpy(&Reply->Data[0], (PVOID)BufferPtr, Ccb->ReadDataAvailable); } } else { DPRINT("Message Mode\n"); - ReadDataAvailable=Ccb->ReadDataAvailable; + ReadDataAvailable = Ccb->ReadDataAvailable; if (ReadDataAvailable > 0) { - memcpy(&Reply->MessageLength, BufferPtr, sizeof(ULONG)); + RtlCopyMemory(&Reply->MessageLength, + BufferPtr, + sizeof(Reply->MessageLength)); while ((ReadDataAvailable > 0) && (BufferPtr < Ccb->WritePtr)) { - memcpy(&MessageLength, BufferPtr, sizeof(MessageLength)); + RtlCopyMemory(&MessageLength, BufferPtr, sizeof(MessageLength)); ASSERT(MessageLength > 0); - DPRINT("MessageLength = %lu\n",MessageLength); + DPRINT("MessageLength = %lu\n", MessageLength); ReadDataAvailable -= MessageLength; MessageCount++; /* If its the first message, copy the Message if the size of buffer is large enough */ - if (MessageCount==1) + if (MessageCount == 1) { - if ((Reply->Data[0]) - && (OutputBufferLength >= (MessageLength + FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0])))) + if (OutputBufferLength >= FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[MessageLength])) { - memcpy(&Reply->Data[0], (PVOID)((ULONG_PTR)BufferPtr + sizeof(MessageLength)), MessageLength); + RtlCopyMemory(Reply->Data, + (PVOID)((ULONG_PTR)BufferPtr + sizeof(MessageLength)), + MessageLength); ReturnLength = MessageLength; } } - BufferPtr =(PVOID)((ULONG_PTR)BufferPtr + MessageLength + sizeof(MessageLength)); + BufferPtr = (PVOID)((ULONG_PTR)BufferPtr + sizeof(MessageLength) + MessageLength); DPRINT("BufferPtr = %x\n", BufferPtr); DPRINT("ReadDataAvailable: %lu\n", ReadDataAvailable); } @@ -659,7 +662,7 @@ NpfsPeekPipe(PIRP Irp, Reply->NumberOfMessages = MessageCount; - Irp->IoStatus.Information = ReturnLength + FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0]); + Irp->IoStatus.Information = FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[ReturnLength]); Irp->IoStatus.Status = STATUS_SUCCESS; Status = STATUS_SUCCESS;