[PATCH] Only process full TLS frames in schan_DecryptMessage

Mikko Rasa tdb at tdb.fi
Mon Aug 30 15:57:07 CDT 2010 

---
 dlls/secur32/schannel.c |   26 ++++++++++++++++++++++++--
 1 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c
index 3eff004..2b7d54d 100644
--- a/dlls/secur32/schannel.c
+++ b/dlls/secur32/schannel.c
@@ -107,6 +107,7 @@ struct schan_transport;
 struct schan_buffers
 {
     SIZE_T offset;
+    SIZE_T limit;
     const SecBufferDesc *desc;
     int current_buffer_idx;
     BOOL allow_buffer_resize;
@@ -494,6 +495,7 @@ static void init_schan_buffers(struct schan_buffers *s, const PSecBufferDesc des
         int (*get_next_buffer)(const struct schan_transport *, struct schan_buffers *))
 {
     s->offset = 0;
+    s->limit = 0;
     s->desc = desc;
     s->current_buffer_idx = -1;
     s->allow_buffer_resize = FALSE;
@@ -601,6 +603,16 @@ static ssize_t schan_pull(gnutls_transport_ptr_t transport, void *buff, size_t b
         return -1;
     }
 
+    if (t->in.limit != 0 && t->in.offset + buff_len >= t->in.limit)
+    {
+        buff_len = t->in.limit - t->in.offset;
+        if (buff_len == 0)
+        {
+            pgnutls_transport_set_errno(t->ctx->session, EAGAIN);
+            return -1;
+        }
+    }
+
     memcpy(buff, b, buff_len);
     t->in.offset += buff_len;
 
@@ -1212,10 +1224,11 @@ static SECURITY_STATUS SEC_ENTRY schan_DecryptMessage(PCtxtHandle context_handle
     SecBuffer *buffer;
     SIZE_T data_size;
     char *data;
+    SIZE_T expected_size;
     ssize_t received = 0;
     ssize_t ret;
     int idx;
-    char *buf_ptr;
+    unsigned char *buf_ptr;
     unsigned int offset;
 
     TRACE("context_handle %p, message %p, message_seq_no %d, quality %p\n",
@@ -1230,12 +1243,22 @@ static SECURITY_STATUS SEC_ENTRY schan_DecryptMessage(PCtxtHandle context_handle
     if (idx == -1)
         return SEC_E_INVALID_TOKEN;
     buffer = &message->pBuffers[idx];
+    buf_ptr = (unsigned char *)buffer->pvBuffer;
+
+    expected_size = 5 + ((buf_ptr[3] << 8) | buf_ptr[4]);
+    if(buffer->cbBuffer < expected_size)
+    {
+        TRACE("Expected %u bytes, but buffer only contains %u bytes\n", expected_size, buffer->cbBuffer);
+        TRACE("Returning SEC_E_INCOMPLETE_MESSAGE\n");
+        return SEC_E_INCOMPLETE_MESSAGE;
+    }
 
     data_size = buffer->cbBuffer;
     data = HeapAlloc(GetProcessHeap(), 0, data_size);
 
     transport.ctx = ctx;
     init_schan_buffers(&transport.in, message, schan_decrypt_message_get_next_buffer);
+    transport.in.limit = expected_size;
     init_schan_buffers(&transport.out, NULL, NULL);
     pgnutls_transport_set_ptr(ctx->session, (gnutls_transport_ptr_t)&transport);
 
@@ -1271,7 +1294,6 @@ static SECURITY_STATUS SEC_ENTRY schan_DecryptMessage(PCtxtHandle context_handle
 
     TRACE("Received %zd bytes\n", received);
 
-    buf_ptr = (char *)buffer->pvBuffer;
     offset = ctx->header_bytes;
     memcpy(buf_ptr + offset, data, received);
     HeapFree(GetProcessHeap(), 0, data);
-- 
1.7.1

More information about the wine-patches mailing list