Derek Lesho : mountmgr.sys: Use SystemBuffer output for IOCTL_STORAGE_QUERY_PROPERTY.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: 8e98dcd42e13bfeb5a2397ff9bf1c7f63c224e23
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=8e98dcd42e13bfeb5a2397ff9bf1c7f63c224e23

Author: Derek Lesho <dlesho at codeweavers.com>
Date:   Mon Jul 20 11:20:15 2020 -0500

mountmgr.sys: Use SystemBuffer output for IOCTL_STORAGE_QUERY_PROPERTY.

In METHOD_BUFFERED ioctls, SystemBuffer must be used as both the input and output buffer.
Using UserBuffer directly, without any checks is dangerous and non-functional, as it will
be overwritten by the contents of SystemBuffer in a correct implementation.

Signed-off-by: Derek Lesho <dlesho at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/mountmgr.sys/device.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/dlls/mountmgr.sys/device.c b/dlls/mountmgr.sys/device.c
index f7a1f1e9b5..97208da481 100644
--- a/dlls/mountmgr.sys/device.c
+++ b/dlls/mountmgr.sys/device.c
@@ -1771,12 +1771,11 @@ static void query_property( struct disk_device *device, IRP *irp )
 
         if (device->serial) len += strlen( device->serial ) + 1;
 
-        if (!irp->UserBuffer
-            || irpsp->Parameters.DeviceIoControl.OutputBufferLength < sizeof(STORAGE_DESCRIPTOR_HEADER))
+        if (irpsp->Parameters.DeviceIoControl.OutputBufferLength < sizeof(STORAGE_DESCRIPTOR_HEADER))
             irp->IoStatus.u.Status = STATUS_INVALID_PARAMETER;
         else if (irpsp->Parameters.DeviceIoControl.OutputBufferLength < len)
         {
-            descriptor = irp->UserBuffer;
+            descriptor = irp->AssociatedIrp.SystemBuffer;
             descriptor->Version = sizeof(STORAGE_DEVICE_DESCRIPTOR);
             descriptor->Size = len;
             irp->IoStatus.Information = sizeof(STORAGE_DESCRIPTOR_HEADER);
@@ -1786,8 +1785,8 @@ static void query_property( struct disk_device *device, IRP *irp )
         {
             FIXME( "Faking StorageDeviceProperty data\n" );
 
-            memset( irp->UserBuffer, 0, irpsp->Parameters.DeviceIoControl.OutputBufferLength );
-            descriptor = irp->UserBuffer;
+            memset( irp->AssociatedIrp.SystemBuffer, 0, irpsp->Parameters.DeviceIoControl.OutputBufferLength );
+            descriptor = irp->AssociatedIrp.SystemBuffer;
             descriptor->Version = sizeof(STORAGE_DEVICE_DESCRIPTOR);
             descriptor->Size = len;
             descriptor->DeviceType = FILE_DEVICE_DISK;