Henri Verbeet : secur32: Only read complete records in schan_InitializeSecurityContextW().

Alexandre Julliard julliard at winehq.org
Mon Jul 9 14:56:38 CDT 2012


Module: wine
Branch: master
Commit: 2025e81585abf41bf8f9adb14c13b4dfba9ad691
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=2025e81585abf41bf8f9adb14c13b4dfba9ad691

Author: Henri Verbeet <hverbeet at codeweavers.com>
Date:   Sun Jul  8 16:06:35 2012 +0200

secur32: Only read complete records in schan_InitializeSecurityContextW().

---

 dlls/secur32/schannel.c |   28 +++++++++++++++++++++-------
 1 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c
index af34e66..cc287dc 100644
--- a/dlls/secur32/schannel.c
+++ b/dlls/secur32/schannel.c
@@ -668,6 +668,7 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
     struct schan_buffers *out_buffers;
     struct schan_credentials *cred;
     struct schan_transport transport;
+    SIZE_T expected_size = ~0UL;
     SECURITY_STATUS ret;
 
     TRACE("%p %p %s 0x%08x %d %d %p %d %p %p %p %p\n", phCredential, phContext,
@@ -714,7 +715,7 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
     }
     else
     {
-        unsigned int expected_size;
+        SIZE_T record_size = 0;
         unsigned char *ptr;
         SecBuffer *buffer;
         int idx;
@@ -727,17 +728,29 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
             return SEC_E_INCOMPLETE_MESSAGE;
 
         buffer = &pInput->pBuffers[idx];
-        if (buffer->cbBuffer < 5)
-            return SEC_E_INCOMPLETE_MESSAGE;
-
         ptr = buffer->pvBuffer;
-        expected_size = 5 + ((ptr[3] << 8) | ptr[4]);
-        if (buffer->cbBuffer < expected_size)
+        expected_size = 0;
+
+        while (buffer->cbBuffer > expected_size + 5)
+        {
+            record_size = 5 + ((ptr[3] << 8) | ptr[4]);
+
+            if (buffer->cbBuffer < expected_size + record_size)
+                break;
+
+            expected_size += record_size;
+            ptr += record_size;
+        }
+
+        if (!expected_size)
         {
-            TRACE("Expected %u bytes, but buffer only contains %u bytes.\n", expected_size, buffer->cbBuffer);
+            TRACE("Expected at least %lu bytes, but buffer only contains %u bytes.\n",
+                    max(6, record_size), buffer->cbBuffer);
             return SEC_E_INCOMPLETE_MESSAGE;
         }
 
+        TRACE("Using expected_size %lu.\n", expected_size);
+
         ctx = schan_get_object(phContext->dwLower, SCHAN_HANDLE_CTX);
     }
 
@@ -745,6 +758,7 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
 
     transport.ctx = ctx;
     init_schan_buffers(&transport.in, pInput, schan_init_sec_ctx_get_next_buffer);
+    transport.in.limit = expected_size;
     init_schan_buffers(&transport.out, pOutput, schan_init_sec_ctx_get_next_buffer);
     schan_imp_set_session_transport(ctx->session, &transport);
 




More information about the wine-cvs mailing list