[Bug 48473] New: kernelbase WaitNamedPipeW contains non-null terminated string, causing garbage output in trace logs

WineHQ Bugzilla wine-bugs at winehq.org
Thu Jan 16 18:33:13 CST 2020 

https://bugs.winehq.org/show_bug.cgi?id=48473

            Bug ID: 48473
           Summary: kernelbase WaitNamedPipeW contains non-null terminated
                    string, causing garbage output in trace logs
           Product: Wine
           Version: 5.0-rc5
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: kernelbase
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says.

--- snip ---
...
003b:Call KERNEL32.WaitNamedPipeW(0022d770
L"\\\\.\\pipe\\{49BD2028-1523-11D1-AD79-00C04FD8FDFF}",ffffffff) ret=00382fd4
003b:Call ntdll.RtlDosPathNameToNtPathName_U(0022d770
L"\\\\.\\pipe\\{49BD2028-1523-11D1-AD79-00C04FD8FDFF}",0022d318,00000000,00000000)
ret=7b04bacb
003b:Ret  ntdll.RtlDosPathNameToNtPathName_U() retval=00000001 ret=7b04bacb
003b:Call ntdll._wcsnicmp(023bd510
L"\\??\\pipe\\{49BD2028-1523-11D1-AD79-00C04FD8FDFF}",7b0735a0
L"\\??\\PIPE\\\6157\7469\614e\656d\5064\7069\5765\2500\2073\7830\3025\7838\n",00000009)
ret=7b04baf7
003b:Ret  ntdll._wcsnicmp() retval=00000000 ret=7b04baf7 
...
--- snip ---

The trace log contains garbage characters because the string is not NULL
terminated. Technically there is nothing wrong here - but still it would make
the log output less suspicious (uninitialized/corrupted memory).

Wine source:

https://source.winehq.org/git/wine.git/blob/0cbadb716ddaeb016ffe14deae2aaced59951064:/dlls/kernelbase/sync.c#l1009

--- snip ---
1337 BOOL WINAPI DECLSPEC_HOTPATCH WaitNamedPipeW( LPCWSTR name, DWORD timeout
)
1338 {
1339     static const WCHAR leadin[] =
{'\\','?','?','\\','P','I','P','E','\\'};
1340     NTSTATUS status;
1341     UNICODE_STRING nt_name, pipe_dev_name;
1342     FILE_PIPE_WAIT_FOR_BUFFER *pipe_wait;
1343     IO_STATUS_BLOCK iosb;
1344     OBJECT_ATTRIBUTES attr;
1345     ULONG wait_size;
1346     HANDLE pipe_dev;
1347 
1348     TRACE( "%s 0x%08x\n", debugstr_w(name), timeout );
1349 
1350     if (!RtlDosPathNameToNtPathName_U( name, &nt_name, NULL, NULL ))
return FALSE;
1351 
1352     if (nt_name.Length >= MAX_PATH * sizeof(WCHAR) ||
1353         nt_name.Length < sizeof(leadin) ||
1354         wcsnicmp( nt_name.Buffer, leadin, ARRAY_SIZE( leadin )) != 0)
1355     {
1356         RtlFreeUnicodeString( &nt_name );
1357         SetLastError( ERROR_PATH_NOT_FOUND );
1358         return FALSE;
1359     }
1360 
...
1399 }
--- snip ---

Line 1354, 'leadin' is not NULL terminated.

$ wine --version
wine-5.0-rc5

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list