diff --git a/reactos/dll/win32/kernel32/misc/console.c b/reactos/dll/win32/kernel32/misc/console.c index 626daa3787e..3c2f45c2a24 100644 --- a/reactos/dll/win32/kernel32/misc/console.c +++ b/reactos/dll/win32/kernel32/misc/console.c @@ -327,13 +327,13 @@ GetConsoleAliasW (LPWSTR lpSource, LPWSTR lpExeName) { PCSR_API_MESSAGE Request; + PCSR_CAPTURE_BUFFER CaptureBuffer; ULONG CsrRequest; NTSTATUS Status; ULONG Size; ULONG ExeLength; ULONG SourceLength; ULONG RequestLength; - //PVOID CaptureBuffer; WCHAR * Ptr; DPRINT("GetConsoleAliasW entered lpSource %S lpExeName %S\n", lpSource, lpExeName); @@ -343,12 +343,11 @@ GetConsoleAliasW (LPWSTR lpSource, ExeLength = wcslen(lpExeName) + 1; SourceLength = wcslen(lpSource) + 1; - Size = (ExeLength + SourceLength + CSRSS_MAX_ALIAS_TARGET_LENGTH) * sizeof(WCHAR); + Size = (ExeLength + SourceLength) * sizeof(WCHAR); RequestLength = Size + sizeof(CSR_API_MESSAGE); Request = RtlAllocateHeap(GetProcessHeap(), 0, RequestLength); -#if 0 CaptureBuffer = CsrAllocateCaptureBuffer(1, TargetBufferLength); if (!CaptureBuffer) { @@ -363,36 +362,32 @@ GetConsoleAliasW (LPWSTR lpSource, (PVOID*)&Request->Data.GetConsoleAlias.TargetBuffer); Request->Data.GetConsoleAlias.TargetBufferLength = TargetBufferLength; -#endif - Ptr = (LPWSTR)((ULONG_PTR)Request + sizeof(CSR_API_MESSAGE)); wcscpy(Ptr, lpSource); Ptr += SourceLength; wcscpy(Ptr, lpExeName); - Ptr += ExeLength; Request->Data.GetConsoleAlias.ExeLength = ExeLength; - Request->Data.GetConsoleAlias.TargetBufferLength = CSRSS_MAX_ALIAS_TARGET_LENGTH * sizeof(WCHAR); Request->Data.GetConsoleAlias.SourceLength = SourceLength; Status = CsrClientCallServer(Request, - NULL, //CaptureBuffer, + CaptureBuffer, CsrRequest, sizeof(CSR_API_MESSAGE) + Size); if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request->Status)) { RtlFreeHeap(GetProcessHeap(), 0, Request); - //CsrFreeCaptureBuffer(CaptureBuffer); + CsrFreeCaptureBuffer(CaptureBuffer); SetLastErrorByStatus(Status); return 0; } - wcscpy(lpTargetBuffer, Ptr); + wcscpy(lpTargetBuffer, Request->Data.GetConsoleAlias.TargetBuffer); RtlFreeHeap(GetProcessHeap(), 0, Request); - //CsrFreeCaptureBuffer(CaptureBuffer); + CsrFreeCaptureBuffer(CaptureBuffer); - return Size; + return Request->Data.GetConsoleAlias.BytesWritten; } @@ -424,13 +419,13 @@ GetConsoleAliasA (LPSTR lpSource, lpwTargetBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, TargetBufferLength * sizeof(WCHAR)); - dwResult = GetConsoleAliasW(lpwSource, lpwTargetBuffer, TargetBufferLength, lpwExeName); + dwResult = GetConsoleAliasW(lpwSource, lpwTargetBuffer, TargetBufferLength * sizeof(WCHAR), lpwExeName); HeapFree(GetProcessHeap(), 0, lpwSource); HeapFree(GetProcessHeap(), 0, lpwExeName); if (dwResult) - dwResult = WideCharToMultiByte(CP_ACP, 0, lpwTargetBuffer, dwResult, lpTargetBuffer, TargetBufferLength, NULL, NULL); + dwResult = WideCharToMultiByte(CP_ACP, 0, lpwTargetBuffer, dwResult / sizeof(WCHAR), lpTargetBuffer, TargetBufferLength, NULL, NULL); HeapFree(GetProcessHeap(), 0, lpwTargetBuffer); @@ -446,27 +441,42 @@ GetConsoleAliasExesW (LPWSTR lpExeNameBuffer, DWORD ExeNameBufferLength) { CSR_API_MESSAGE Request; + PCSR_CAPTURE_BUFFER CaptureBuffer; ULONG CsrRequest; NTSTATUS Status; DPRINT("GetConsoleAliasExesW entered\n"); + CaptureBuffer = CsrAllocateCaptureBuffer(1, ExeNameBufferLength); + if (!CaptureBuffer) + { + SetLastError(ERROR_NOT_ENOUGH_MEMORY); + return 0; + } + CsrRequest = MAKE_CSR_API(GET_CONSOLE_ALIASES_EXES, CSR_NATIVE); - Request.Data.GetConsoleAliasesExes.ExeNames = lpExeNameBuffer; + CsrAllocateMessagePointer(CaptureBuffer, + ExeNameBufferLength, + (PVOID*)&Request.Data.GetConsoleAliasesExes.ExeNames); Request.Data.GetConsoleAliasesExes.Length = ExeNameBufferLength; Status = CsrClientCallServer(& Request, - NULL, + CaptureBuffer, CsrRequest, sizeof(CSR_API_MESSAGE)); if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status)) { SetLastErrorByStatus(Status); + CsrFreeCaptureBuffer(CaptureBuffer); return 0; } - return Request.Data.GetConsoleAliasesExes.BytesWritten / sizeof(WCHAR); + memcpy(lpExeNameBuffer, + Request.Data.GetConsoleAliasesExes.ExeNames, + Request.Data.GetConsoleAliasesExes.BytesWritten); + CsrFreeCaptureBuffer(CaptureBuffer); + return Request.Data.GetConsoleAliasesExes.BytesWritten; } @@ -484,10 +494,10 @@ GetConsoleAliasExesA (LPSTR lpExeNameBuffer, lpwExeNameBuffer = HeapAlloc(GetProcessHeap(), 0, ExeNameBufferLength * sizeof(WCHAR)); - dwResult = GetConsoleAliasExesW(lpwExeNameBuffer, ExeNameBufferLength); + dwResult = GetConsoleAliasExesW(lpwExeNameBuffer, ExeNameBufferLength * sizeof(WCHAR)); if (dwResult) - dwResult = WideCharToMultiByte(CP_ACP, 0, lpwExeNameBuffer, dwResult, lpExeNameBuffer, ExeNameBufferLength, NULL, NULL); + dwResult = WideCharToMultiByte(CP_ACP, 0, lpwExeNameBuffer, dwResult / sizeof(WCHAR), lpExeNameBuffer, ExeNameBufferLength, NULL, NULL); HeapFree(GetProcessHeap(), 0, lpwExeNameBuffer); return dwResult; diff --git a/reactos/subsystems/win32/csrss/api/alias.c b/reactos/subsystems/win32/csrss/api/alias.c index 2a46bd79fed..06be74715ae 100644 --- a/reactos/subsystems/win32/csrss/api/alias.c +++ b/reactos/subsystems/win32/csrss/api/alias.c @@ -34,6 +34,21 @@ typedef struct tagALIAS_HEADER static PALIAS_HEADER RootHeader = NULL; +/* Ensure that a buffer is contained within the process's shared memory section. */ +static BOOL +ValidateBuffer(PCSRSS_PROCESS_DATA ProcessData, PVOID Buffer, ULONG Size) +{ + ULONG Offset = (BYTE *)Buffer - (BYTE *)ProcessData->CsrSectionViewBase; + if (Offset >= ProcessData->CsrSectionViewSize + || Size > (ProcessData->CsrSectionViewSize - Offset)) + { + DPRINT1("Invalid buffer %p %d; not within %p %d\n", + Buffer, Size, ProcessData->CsrSectionViewBase, ProcessData->CsrSectionViewSize); + return FALSE; + } + return TRUE; +} + static PALIAS_HEADER IntFindAliasHeader(PALIAS_HEADER RootHeader, LPCWSTR lpExeName) @@ -44,7 +59,7 @@ IntFindAliasHeader(PALIAS_HEADER RootHeader, LPCWSTR lpExeName) if (!diff) return RootHeader; - if (diff < 0) + if (diff > 0) break; RootHeader = RootHeader->Next; @@ -62,8 +77,9 @@ IntCreateAliasHeader(LPCWSTR lpExeName) if (!Entry) return Entry; - Entry->lpExeName = (LPCWSTR)(Entry + sizeof(ALIAS_HEADER)); + Entry->lpExeName = (LPCWSTR)(Entry + 1); wcscpy((WCHAR*)Entry->lpExeName, lpExeName); + Entry->Data = NULL; Entry->Next = NULL; return Entry; } @@ -117,7 +133,7 @@ IntGetAliasEntry(PALIAS_HEADER Header, LPCWSTR lpSrcName) if (!diff) return RootHeader; - if (diff < 0) + if (diff > 0) break; RootHeader = RootHeader->Next; @@ -175,7 +191,7 @@ IntCreateAliasEntry(LPCWSTR lpSource, LPCWSTR lpTarget) if (!Entry) return Entry; - Entry->lpSource = (LPCWSTR)(Entry + sizeof(ALIAS_ENTRY)); + Entry->lpSource = (LPCWSTR)(Entry + 1); wcscpy((LPWSTR)Entry->lpSource, lpSource); Entry->lpTarget = Entry->lpSource + dwSource; wcscpy((LPWSTR)Entry->lpTarget, lpTarget); @@ -192,9 +208,10 @@ IntGetConsoleAliasesExesLength(PALIAS_HEADER RootHeader) while(RootHeader) { length += (wcslen(RootHeader->lpExeName) + 1) * sizeof(WCHAR); + RootHeader = RootHeader->Next; } if (length) - length++; // last entry entry is terminated with 2 zero bytes + length += sizeof(WCHAR); // last entry entry is terminated with 2 zero bytes return length; } @@ -236,6 +253,7 @@ IntGetAllConsoleAliasesLength(PALIAS_HEADER Header) Length += wcslen(CurEntry->lpSource); Length += wcslen(CurEntry->lpTarget); Length += 2; // zero byte and '=' + CurEntry = CurEntry->Next; } if (Length) @@ -374,7 +392,7 @@ CSR_API(CsrGetConsoleAlias) lpSource = (LPWSTR)((ULONG_PTR)Request + sizeof(CSR_API_MESSAGE)); lpExeName = lpSource + Request->Data.GetConsoleAlias.SourceLength; - lpTarget = (LPWSTR)lpExeName + Request->Data.GetConsoleAlias.ExeLength; + lpTarget = Request->Data.GetConsoleAlias.TargetBuffer; DPRINT("CsrGetConsoleAlias entered lpExeName %p lpSource %p TargetBuffer %p TargetBufferLength %u\n", @@ -404,23 +422,17 @@ CSR_API(CsrGetConsoleAlias) Length = (wcslen(Entry->lpTarget)+1) * sizeof(WCHAR); if (Length > Request->Data.GetConsoleAlias.TargetBufferLength) { - Request->Status = ERROR_INSUFFICIENT_BUFFER; + Request->Status = STATUS_BUFFER_TOO_SMALL; return Request->Status; } -#if 0 - if (((PVOID)lpTarget < ProcessData->CsrSectionViewBase) - || (((ULONG_PTR)lpTarget + Request->Data.GetConsoleAlias.TargetBufferLength) > ((ULONG_PTR)ProcessData->CsrSectionViewBase + ProcessData->CsrSectionViewSize))) + if (!ValidateBuffer(ProcessData, lpTarget, Request->Data.GetConsoleAlias.TargetBufferLength)) { Request->Status = STATUS_ACCESS_VIOLATION; - DPRINT1("CsrGetConsoleAlias out of range lpTarget %p LowerViewBase %p UpperViewBase %p Size %p\n", lpTarget, - ProcessData->CsrSectionViewBase, (ULONG_PTR)ProcessData->CsrSectionViewBase + ProcessData->CsrSectionViewSize, ProcessData->CsrSectionViewSize); return Request->Status; } -#endif wcscpy(lpTarget, Entry->lpTarget); - lpTarget[CSRSS_MAX_ALIAS_TARGET_LENGTH-1] = '\0'; Request->Data.GetConsoleAlias.BytesWritten = Length; Request->Status = STATUS_SUCCESS; return Request->Status; @@ -446,7 +458,15 @@ CSR_API(CsrGetAllConsoleAliases) if (IntGetAllConsoleAliasesLength(Header) > Request->Data.GetAllConsoleAlias.AliasBufferLength) { - Request->Status = ERROR_INSUFFICIENT_BUFFER; + Request->Status = STATUS_BUFFER_OVERFLOW; + return Request->Status; + } + + if (!ValidateBuffer(ProcessData, + Request->Data.GetAllConsoleAlias.AliasBuffer, + Request->Data.GetAllConsoleAlias.AliasBufferLength)) + { + Request->Status = STATUS_ACCESS_VIOLATION; return Request->Status; } @@ -495,7 +515,7 @@ CSR_API(CsrGetConsoleAliasesExes) if (ExesLength > Request->Data.GetConsoleAliasesExes.Length) { - Request->Status = ERROR_INSUFFICIENT_BUFFER; + Request->Status = STATUS_BUFFER_OVERFLOW; return Request->Status; } @@ -505,6 +525,14 @@ CSR_API(CsrGetConsoleAliasesExes) return Request->Status; } + if (!ValidateBuffer(ProcessData, + Request->Data.GetConsoleAliasesExes.ExeNames, + Request->Data.GetConsoleAliasesExes.Length)) + { + Request->Status = STATUS_ACCESS_VIOLATION; + return Request->Status; + } + BytesWritten = IntGetConsoleAliasesExes(RootHeader, Request->Data.GetConsoleAliasesExes.ExeNames, Request->Data.GetConsoleAliasesExes.Length);