From a988d3cfe212cb0decdedf3f9aa5c07a7716aeec Mon Sep 17 00:00:00 2001 From: Thomas Bluemel Date: Sat, 14 Jan 2006 16:31:28 +0000 Subject: [PATCH] fixed possible buffer overflows in LookupAccountSidW(): LSA_UNICODE_STRINGs are not necessarily NULL-terminated! svn path=/trunk/; revision=20855 --- reactos/lib/advapi32/sec/misc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/reactos/lib/advapi32/sec/misc.c b/reactos/lib/advapi32/sec/misc.c index 12b50e49d45..cbc1050ccad 100644 --- a/reactos/lib/advapi32/sec/misc.c +++ b/reactos/lib/advapi32/sec/misc.c @@ -872,15 +872,14 @@ LookupAccountSidW ( PSID_NAME_USE peUse ) { LSA_UNICODE_STRING SystemName; - LSA_OBJECT_ATTRIBUTES ObjectAttributes; - LSA_HANDLE PolicyHandle = INVALID_HANDLE_VALUE; + LSA_OBJECT_ATTRIBUTES ObjectAttributes = {0}; + LSA_HANDLE PolicyHandle = NULL; NTSTATUS Status; PLSA_REFERENCED_DOMAIN_LIST ReferencedDomain = NULL; PLSA_TRANSLATED_NAME TranslatedName = NULL; BOOL ret; RtlInitUnicodeString ( &SystemName, pSystemName ); - ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes)); Status = LsaOpenPolicy ( &SystemName, &ObjectAttributes, POLICY_LOOKUP_NAMES, &PolicyHandle ); if ( !NT_SUCCESS(Status) ) { @@ -910,7 +909,8 @@ LookupAccountSidW ( else { *pdwAccountName = dwSrcLen; - wcscpy ( pAccountName, TranslatedName->Name.Buffer ); + RtlCopyMemory ( pAccountName, TranslatedName->Name.Buffer, TranslatedName->Name.Length ); + pAccountName[TranslatedName->Name.Length / sizeof(WCHAR)] = L'\0'; } if ( peUse ) *peUse = TranslatedName->Use; @@ -929,7 +929,8 @@ LookupAccountSidW ( else { *pdwDomainName = dwSrcLen; - wcscpy ( pDomainName, ReferencedDomain->Domains[0].Name.Buffer ); + RtlCopyMemory ( pDomainName, ReferencedDomain->Domains[0].Name.Buffer, ReferencedDomain->Domains[0].Name.Length ); + pDomainName[ReferencedDomain->Domains[0].Name.Length / sizeof(WCHAR)] = L'\0'; } } }