Mikko Rasa : secur32: Validate buffers passed to schan_DecryptMessage.
Alexandre Julliard
julliard at winehq.org
Wed Sep 15 18:18:40 CDT 2010
Module: wine
Branch: master
Commit: b424b3431ee4c07bfcdc54f58175f49b1f78780d
URL: http://source.winehq.org/git/wine.git/?a=commit;h=b424b3431ee4c07bfcdc54f58175f49b1f78780d
Author: Mikko Rasa <tdb at tdb.fi>
Date: Wed Sep 15 20:30:07 2010 +0300
secur32: Validate buffers passed to schan_DecryptMessage.
---
dlls/secur32/schannel.c | 50 ++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c
index 7a3bb3c..70458fa 100644
--- a/dlls/secur32/schannel.c
+++ b/dlls/secur32/schannel.c
@@ -1144,6 +1144,49 @@ static int schan_decrypt_message_get_next_buffer(const struct schan_transport *t
return -1;
}
+static int schan_validate_decrypt_buffer_desc(PSecBufferDesc message)
+{
+ int data_idx = -1;
+ unsigned int empty_count = 0;
+ unsigned int i;
+
+ if (message->cBuffers < 4)
+ {
+ WARN("Less than four buffers passed\n");
+ return -1;
+ }
+
+ for (i = 0; i < message->cBuffers; ++i)
+ {
+ SecBuffer *b = &message->pBuffers[i];
+ if (b->BufferType == SECBUFFER_DATA)
+ {
+ if (data_idx != -1)
+ {
+ WARN("More than one data buffer passed\n");
+ return -1;
+ }
+ data_idx = i;
+ }
+ else if (b->BufferType == SECBUFFER_EMPTY)
+ ++empty_count;
+ }
+
+ if (data_idx == -1)
+ {
+ WARN("No data buffer passed\n");
+ return -1;
+ }
+
+ if (empty_count < 3)
+ {
+ WARN("Less than three empty buffers passed\n");
+ return -1;
+ }
+
+ return data_idx;
+}
+
static SECURITY_STATUS SEC_ENTRY schan_DecryptMessage(PCtxtHandle context_handle,
PSecBufferDesc message, ULONG message_seq_no, PULONG quality)
{
@@ -1164,12 +1207,9 @@ static SECURITY_STATUS SEC_ENTRY schan_DecryptMessage(PCtxtHandle context_handle
dump_buffer_desc(message);
- idx = schan_find_sec_buffer_idx(message, 0, SECBUFFER_DATA);
+ idx = schan_validate_decrypt_buffer_desc(message);
if (idx == -1)
- {
- WARN("No data buffer passed\n");
- return SEC_E_INTERNAL_ERROR;
- }
+ return SEC_E_INVALID_TOKEN;
buffer = &message->pBuffers[idx];
data_size = buffer->cbBuffer;
More information about the wine-cvs
mailing list