Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-22 08:25:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

[LSASRV] Add parameter validation in LsapSetLogonSessionData().

Browse source
This commit is contained in:
Hermès Bélusca-Maïto 2019-06-18 02:27:47 +02:00
parent 8210396cb4
commit cf7981fe4e
No known key found for this signature in database
GPG key ID: 3B2539C65E7B93D0
1 changed files with 52 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
dll/win32/lsasrv/session.c
View file

@ -71,6 +71,7 @@ LsapSetLogonSessionData(
_In_ PUNICODE_STRING LogonDomain, _In_ PUNICODE_STRING LogonDomain,
_In_ PSID Sid) _In_ PSID Sid)
{ {
NTSTATUS Status;
PLSAP_LOGON_SESSION Session; PLSAP_LOGON_SESSION Session;
ULONG Length; ULONG Length;
@ -83,8 +84,15 @@ LsapSetLogonSessionData(
TRACE("LogonType %lu\n", LogonType); TRACE("LogonType %lu\n", LogonType);
Session->LogonType = LogonType; Session->LogonType = LogonType;
Status = RtlValidateUnicodeString(0, UserName);
if (!NT_SUCCESS(Status))
return STATUS_INVALID_PARAMETER;
/* UserName is mandatory and cannot be an empty string */
TRACE("UserName %wZ\n", UserName); TRACE("UserName %wZ\n", UserName);
Session->UserName.Buffer = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, UserName->MaximumLength); Session->UserName.Buffer = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
UserName->MaximumLength);
if (Session->UserName.Buffer == NULL) if (Session->UserName.Buffer == NULL)
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
@ -92,19 +100,53 @@ LsapSetLogonSessionData(
Session->UserName.MaximumLength = UserName->MaximumLength; Session->UserName.MaximumLength = UserName->MaximumLength;
RtlCopyMemory(Session->UserName.Buffer, UserName->Buffer, UserName->MaximumLength); RtlCopyMemory(Session->UserName.Buffer, UserName->Buffer, UserName->MaximumLength);
TRACE("LogonDomain %wZ\n", LogonDomain); Status = RtlValidateUnicodeString(0, LogonDomain);
Session->LogonDomain.Buffer = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, LogonDomain->MaximumLength); if (!NT_SUCCESS(Status))
if (Session->LogonDomain.Buffer == NULL) {
return STATUS_INSUFFICIENT_RESOURCES; /* Cleanup and fail */
if (Session->UserName.Buffer != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Session->UserName.Buffer);
Session->LogonDomain.Length = LogonDomain->Length; return STATUS_INVALID_PARAMETER;
Session->LogonDomain.MaximumLength = LogonDomain->MaximumLength; }
RtlCopyMemory(Session->LogonDomain.Buffer, LogonDomain->Buffer, LogonDomain->MaximumLength);
/* LogonDomain is optional and can be an empty string */
TRACE("LogonDomain %wZ\n", LogonDomain);
if (LogonDomain->Length)
{
Session->LogonDomain.Buffer = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
LogonDomain->MaximumLength);
if (Session->LogonDomain.Buffer == NULL)
{
/* Cleanup and fail */
if (Session->UserName.Buffer != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Session->UserName.Buffer);
return STATUS_INSUFFICIENT_RESOURCES;
}
Session->LogonDomain.Length = LogonDomain->Length;
Session->LogonDomain.MaximumLength = LogonDomain->MaximumLength;
RtlCopyMemory(Session->LogonDomain.Buffer, LogonDomain->Buffer, LogonDomain->MaximumLength);
}
else
{
RtlInitEmptyUnicodeString(&Session->LogonDomain, NULL, 0);
}
Length = RtlLengthSid(Sid); Length = RtlLengthSid(Sid);
Session->Sid = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length); Session->Sid = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length);
if (Session->UserName.Buffer == NULL) if (Session->Sid == NULL)
{
/* Cleanup and fail */
if (Session->LogonDomain.Buffer != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Session->LogonDomain.Buffer);
if (Session->UserName.Buffer != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Session->UserName.Buffer);
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyMemory(Session->Sid, Sid, Length); RtlCopyMemory(Session->Sid, Sid, Length);
@ -397,10 +439,9 @@ LsapGetLogonSessionData(IN OUT PLSA_API_MSG RequestMsg)
RtlCopyLuid(&LocalSessionData->LogonId, RtlCopyLuid(&LocalSessionData->LogonId,
&RequestMsg->GetLogonSessionData.Request.LogonId); &RequestMsg->GetLogonSessionData.Request.LogonId);
/* Copy the UserName string*/ /* Copy the UserName string */
LocalSessionData->UserName.Length = Session->UserName.Length; LocalSessionData->UserName.Length = Session->UserName.Length;
LocalSessionData->UserName.MaximumLength = Session->UserName.MaximumLength; LocalSessionData->UserName.MaximumLength = Session->UserName.MaximumLength;
if (Session->UserName.MaximumLength != 0) if (Session->UserName.MaximumLength != 0)
{ {
RtlCopyMemory(Ptr, Session->UserName.Buffer, Session->UserName.MaximumLength); RtlCopyMemory(Ptr, Session->UserName.Buffer, Session->UserName.MaximumLength);
@ -479,7 +520,6 @@ LsapGetLogonSessionData(IN OUT PLSA_API_MSG RequestMsg)
Ptr = (PUCHAR)((ULONG_PTR)Ptr + Session->Upn.MaximumLength); Ptr = (PUCHAR)((ULONG_PTR)Ptr + Session->Upn.MaximumLength);
} }
InitializeObjectAttributes(&ObjectAttributes, InitializeObjectAttributes(&ObjectAttributes,
NULL, NULL,
0, 0,