From 731eddfe40a0ae641a6a4b99273a9564a5b4ddc0 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Sat, 17 Oct 2020 16:40:50 +0200
Subject: [PATCH] [BASESRV] Re-enable and actually fix the
 CsrValidateMessageBuffer() checks in BaseSrvDefineDosDevice(). (#3304)

Addendum to commit 0a392b18.

The actual problem that existed all along was that the buffers being
validated with CsrValidateMessageBuffer() were not the correct ones!

What had to be checked is the string buffer **INSIDE** the UNICODE_STRING
structures! Indeed, it is these buffers that we are allocating on client side,
see https://github.com/reactos/reactos/blob/9b421af1/dll/win32/kernel32/client/dosdev.c#L324-L336

Dedicated to Pierre Schweitzer.
---
 subsystems/win/basesrv/dosdev.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/subsystems/win/basesrv/dosdev.c b/subsystems/win/basesrv/dosdev.c
index 958dceca8ee..85cb0d79b57 100644
--- a/subsystems/win/basesrv/dosdev.c
+++ b/subsystems/win/basesrv/dosdev.c
@@ -514,22 +514,21 @@ CSR_API(BaseSrvDefineDosDevice)
     PWSTR InterPtr;
     BOOLEAN RemoveFound;
 
-#if 0
-    /* FIXME: Check why it fails.... */
     if (!CsrValidateMessageBuffer(ApiMessage,
-                                  (PVOID*)&DefineDosDeviceRequest->DeviceName,
+                                  (PVOID*)&DefineDosDeviceRequest->DeviceName.Buffer,
                                   DefineDosDeviceRequest->DeviceName.Length,
-                                  1) ||
+                                  sizeof(BYTE)) ||
         (DefineDosDeviceRequest->DeviceName.Length & 1) != 0 ||
         !CsrValidateMessageBuffer(ApiMessage,
-                                  (PVOID*)&DefineDosDeviceRequest->TargetPath,
-                                  (DefineDosDeviceRequest->TargetPath.Length != 0 ? sizeof(UNICODE_NULL) : 0) + DefineDosDeviceRequest->TargetPath.Length,
-                                  1) ||
+                                  (PVOID*)&DefineDosDeviceRequest->TargetPath.Buffer,
+                                  DefineDosDeviceRequest->TargetPath.Length +
+                                    (DefineDosDeviceRequest->TargetPath.Length != 0
+                                        ? sizeof(UNICODE_NULL) : 0),
+                                  sizeof(BYTE)) ||
         (DefineDosDeviceRequest->TargetPath.Length & 1) != 0)
     {
         return STATUS_INVALID_PARAMETER;
     }
-#endif
 
     DPRINT("BaseSrvDefineDosDevice entered, Flags:%d, DeviceName:%wZ (%d), TargetPath:%wZ (%d)\n",
            DefineDosDeviceRequest->Flags,
-- 
2.17.1