mirror of
https://github.com/reactos/reactos.git
synced 2025-07-04 19:21:23 +00:00
[WS2_32]: Fix buffer overrun in getservbyname. Patch by Alexander Yastrebov - menone7 at gmail dot com
svn path=/trunk/; revision=48424
This commit is contained in:
Cameron Gutman
parent
18bc5a24b5
commit
75f1ada3df
1 changed files with 48 additions and 49 deletions
|
|
@ -1172,11 +1172,11 @@ getservbyname(IN CONST CHAR FAR* name,
|
||||||
PCHAR SystemDirectory = ServiceDBData; /* Reuse this stack space */
|
PCHAR SystemDirectory = ServiceDBData; /* Reuse this stack space */
|
||||||
PCHAR ServicesFileLocation = "\\drivers\\etc\\services";
|
PCHAR ServicesFileLocation = "\\drivers\\etc\\services";
|
||||||
PCHAR ThisLine = 0, NextLine = 0, ServiceName = 0, PortNumberStr = 0,
|
PCHAR ThisLine = 0, NextLine = 0, ServiceName = 0, PortNumberStr = 0,
|
||||||
ProtocolStr = 0, Comment = 0;
|
ProtocolStr = 0, Comment = 0, EndValid;
|
||||||
PCHAR Aliases[WS2_INTERNAL_MAX_ALIAS] = { 0 };
|
PCHAR Aliases[WS2_INTERNAL_MAX_ALIAS] = { 0 };
|
||||||
UINT i,SizeNeeded = 0,
|
UINT i,SizeNeeded = 0,
|
||||||
SystemDirSize = sizeof(ServiceDBData) - 1;
|
SystemDirSize = sizeof(ServiceDBData) - 1;
|
||||||
DWORD ReadSize = 0, ValidData = 0;
|
DWORD ReadSize = 0;
|
||||||
PWINSOCK_THREAD_BLOCK p = NtCurrentTeb()->WinSockData;
|
PWINSOCK_THREAD_BLOCK p = NtCurrentTeb()->WinSockData;
|
||||||
|
|
||||||
if( !p )
|
if( !p )
|
||||||
|
|
@ -1215,43 +1215,56 @@ getservbyname(IN CONST CHAR FAR* name,
|
||||||
WSASetLastError( WSANO_RECOVERY );
|
WSASetLastError( WSANO_RECOVERY );
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Scan the services file ...
|
/* Scan the services file ...
|
||||||
*
|
*
|
||||||
* We will read up to BUFSIZ bytes per pass, until the buffer does not
|
* We will be share the buffer on the lines. If the line does not fit in
|
||||||
* contain a full line, then we will try to read more.
|
* the buffer, then moving it to the beginning of the buffer and read
|
||||||
*
|
* the remnants of line from file.
|
||||||
* We fall from the loop if the buffer does not have a line terminator.
|
*/
|
||||||
*/
|
|
||||||
|
|
||||||
/* Initial Read */
|
/* Initial Read */
|
||||||
while(!Found &&
|
ReadFile(ServicesFile,
|
||||||
ReadFile(ServicesFile,
|
ServiceDBData,
|
||||||
ServiceDBData + ValidData,
|
sizeof( ServiceDBData ) - 1,
|
||||||
sizeof( ServiceDBData ) - ValidData,
|
&ReadSize, NULL );
|
||||||
&ReadSize,
|
ThisLine = NextLine = ServiceDBData;
|
||||||
NULL))
|
EndValid = ServiceDBData + ReadSize;
|
||||||
|
ServiceDBData[sizeof(ServiceDBData) - 1] = '\0';
|
||||||
|
|
||||||
|
while(ReadSize)
|
||||||
{
|
{
|
||||||
ValidData += ReadSize;
|
for(; *NextLine != '\r' && *NextLine != '\n'; NextLine++)
|
||||||
ReadSize = 0;
|
|
||||||
NextLine = ThisLine = ServiceDBData;
|
|
||||||
|
|
||||||
/* Find the beginning of the next line */
|
|
||||||
while(NextLine < ServiceDBData + ValidData &&
|
|
||||||
*NextLine != '\r' && *NextLine != '\n' )
|
|
||||||
{
|
{
|
||||||
NextLine++;
|
if(NextLine == EndValid)
|
||||||
|
{
|
||||||
|
int LineLen = NextLine - ThisLine;
|
||||||
|
|
||||||
|
if(ThisLine == ServiceDBData)
|
||||||
|
{
|
||||||
|
WS_DbgPrint(MIN_TRACE,("Line too long"));
|
||||||
|
WSASetLastError( WSANO_RECOVERY );
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
memmove(ServiceDBData, ThisLine, LineLen);
|
||||||
|
|
||||||
|
ReadFile(ServicesFile, ServiceDBData + LineLen,
|
||||||
|
sizeof( ServiceDBData )-1 - LineLen,
|
||||||
|
&ReadSize, NULL );
|
||||||
|
|
||||||
|
EndValid = ServiceDBData + LineLen + ReadSize;
|
||||||
|
NextLine = ServiceDBData + LineLen;
|
||||||
|
ThisLine = ServiceDBData;
|
||||||
|
|
||||||
|
if(!ReadSize) break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Zero and skip, so we can treat what we have as a string */
|
*NextLine = '\0';
|
||||||
if( NextLine > ServiceDBData + ValidData )
|
|
||||||
break;
|
|
||||||
|
|
||||||
*NextLine = 0; NextLine++;
|
|
||||||
|
|
||||||
Comment = strchr( ThisLine, '#' );
|
Comment = strchr( ThisLine, '#' );
|
||||||
if( Comment ) *Comment = 0; /* Terminate at comment start */
|
if( Comment ) *Comment = '\0'; /* Terminate at comment start */
|
||||||
|
|
||||||
if(DecodeServEntFromString(ThisLine,
|
if(DecodeServEntFromString(ThisLine,
|
||||||
&ServiceName,
|
&ServiceName,
|
||||||
&PortNumberStr,
|
&PortNumberStr,
|
||||||
|
|
@ -1268,22 +1281,8 @@ getservbyname(IN CONST CHAR FAR* name,
|
||||||
(NextLine - ThisLine);
|
(NextLine - ThisLine);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
NextLine++;
|
||||||
/* Get rid of everything we read so far */
|
ThisLine = NextLine;
|
||||||
while( NextLine <= ServiceDBData + ValidData &&
|
|
||||||
isspace( *NextLine ) )
|
|
||||||
{
|
|
||||||
NextLine++;
|
|
||||||
}
|
|
||||||
|
|
||||||
WS_DbgPrint(MAX_TRACE,("About to move %d chars\n",
|
|
||||||
ServiceDBData + ValidData - NextLine));
|
|
||||||
|
|
||||||
memmove(ServiceDBData,
|
|
||||||
NextLine,
|
|
||||||
ServiceDBData + ValidData - NextLine );
|
|
||||||
ValidData -= NextLine - ServiceDBData;
|
|
||||||
WS_DbgPrint(MAX_TRACE,("Valid bytes: %d\n", ValidData));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This we'll do no matter what */
|
/* This we'll do no matter what */
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue