Zebediah Figura : server: Validate the output size of IOCTL_AFD_BIND against the input address size rather than sizeof(struct sockaddr).

Alexandre Julliard julliard at winehq.org
Fri Jul 23 18:08:01 CDT 2021 

Module: wine
Branch: master
Commit: c06e5693cb421692c85a87da3e90a94182651a48
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=c06e5693cb421692c85a87da3e90a94182651a48

Author: Zebediah Figura <zfigura at codeweavers.com>
Date:   Fri Jul 23 11:39:07 2021 -0500

server: Validate the output size of IOCTL_AFD_BIND against the input address size rather than sizeof(struct sockaddr).

Signed-off-by: Zebediah Figura <zfigura at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/ws2_32/tests/afd.c | 4 ++--
 server/sock.c           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dlls/ws2_32/tests/afd.c b/dlls/ws2_32/tests/afd.c
index 32daab0beab..c31d1def139 100644
--- a/dlls/ws2_32/tests/afd.c
+++ b/dlls/ws2_32/tests/afd.c
@@ -1610,7 +1610,7 @@ static void test_bind(void)
     memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
     ret = NtDeviceIoControlFile((HANDLE)s, event, NULL, NULL, &io, IOCTL_AFD_BIND,
             params, params6_size, &addr6, sizeof(addr6) - 1);
-    todo_wine ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
+    ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
 
     memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
     ret = NtDeviceIoControlFile((HANDLE)s, event, NULL, NULL, &io, IOCTL_AFD_BIND,
@@ -1620,7 +1620,7 @@ static void test_bind(void)
     memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
     ret = NtDeviceIoControlFile((HANDLE)s, event, NULL, NULL, &io, IOCTL_AFD_BIND,
             params, params6_size, &addr6, sizeof(struct sockaddr_in6_old));
-    todo_wine ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
+    ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
 
     memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
     memset(&io, 0xcc, sizeof(io));
diff --git a/server/sock.c b/server/sock.c
index f730bb31c55..cce91f5150d 100644
--- a/server/sock.c
+++ b/server/sock.c
@@ -2492,7 +2492,7 @@ static int sock_ioctl( struct fd *fd, ioctl_code_t code, struct async *async )
         }
         in_size = get_req_data_size() - get_reply_max_size();
         if (in_size < offsetof(struct afd_bind_params, addr.sa_data)
-                || get_reply_max_size() < sizeof(struct WS_sockaddr))
+                || get_reply_max_size() < in_size - sizeof(int))
         {
             set_error( STATUS_INVALID_PARAMETER );
             return 0;

More information about the wine-cvs mailing list