[PATCH v3 2/7] mountmgr: Validate the output size for IOCTL_MOUNTMGR_QUERY_POINTS.

[Zebediah Figura]

Signed-off-by: Zebediah Figura <zfigura at codeweavers.com>
---
 dlls/kernel32/tests/volume.c |  6 +++---
 dlls/mountmgr.sys/mountmgr.c | 12 ++++--------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/dlls/kernel32/tests/volume.c b/dlls/kernel32/tests/volume.c
index 1670ab69222..4915e744eba 100644
--- a/dlls/kernel32/tests/volume.c
+++ b/dlls/kernel32/tests/volume.c
@@ -1658,7 +1658,7 @@ static void test_mountmgr_query_points(void)
     io.Information = 0xdeadf00d;
     status = NtDeviceIoControlFile( file, NULL, NULL, NULL, &io,
             IOCTL_MOUNTMGR_QUERY_POINTS, input, sizeof(*input), NULL, 0 );
-    todo_wine ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
+    ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
     todo_wine ok(io.Status == 0xdeadf00d, "got status %#x\n", io.Status);
     todo_wine ok(io.Information == 0xdeadf00d, "got information %#Ix\n", io.Information);
 
@@ -1667,10 +1667,10 @@ static void test_mountmgr_query_points(void)
     memset(output, 0xcc, sizeof(*output));
     status = NtDeviceIoControlFile( file, NULL, NULL, NULL, &io,
             IOCTL_MOUNTMGR_QUERY_POINTS, input, sizeof(*input), output, sizeof(*output) - 1 );
-    todo_wine ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
+    ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
     todo_wine ok(io.Status == 0xdeadf00d, "got status %#x\n", io.Status);
     todo_wine ok(io.Information == 0xdeadf00d, "got information %#Ix\n", io.Information);
-    todo_wine ok(output->Size == 0xcccccccc, "got size %u\n", output->Size);
+    ok(output->Size == 0xcccccccc, "got size %u\n", output->Size);
     ok(output->NumberOfMountPoints == 0xcccccccc, "got count %u\n", output->NumberOfMountPoints);
 
     io.Status = 0xdeadf00d;
diff --git a/dlls/mountmgr.sys/mountmgr.c b/dlls/mountmgr.sys/mountmgr.c
index 50be9eb740f..a61140d847e 100644
--- a/dlls/mountmgr.sys/mountmgr.c
+++ b/dlls/mountmgr.sys/mountmgr.c
@@ -168,8 +168,9 @@ static NTSTATUS query_mount_points( void *buff, SIZE_T insize,
     MOUNTMGR_MOUNT_POINTS *info;
     struct mount_point *mount;
 
-    /* sanity checks */
-    if (input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength > insize ||
+    if (insize < sizeof(*input) ||
+        outsize < sizeof(*info) ||
+        input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength > insize ||
         input->UniqueIdOffset + input->UniqueIdLength > insize ||
         input->DeviceNameOffset + input->DeviceNameLength > insize ||
         input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength < input->SymbolicLinkNameOffset ||
@@ -193,7 +194,7 @@ static NTSTATUS query_mount_points( void *buff, SIZE_T insize,
     if (size > outsize)
     {
         info = buff;
-        if (size >= sizeof(info->Size)) info->Size = size;
+        info->Size = size;
         iosb->Information = sizeof(info->Size);
         return STATUS_MORE_ENTRIES;
     }
@@ -907,11 +908,6 @@ static NTSTATUS WINAPI mountmgr_ioctl( DEVICE_OBJECT *device, IRP *irp )
     switch(irpsp->Parameters.DeviceIoControl.IoControlCode)
     {
     case IOCTL_MOUNTMGR_QUERY_POINTS:
-        if (irpsp->Parameters.DeviceIoControl.InputBufferLength < sizeof(MOUNTMGR_MOUNT_POINT))
-        {
-            status = STATUS_INVALID_PARAMETER;
-            break;
-        }
         status = query_mount_points( irp->AssociatedIrp.SystemBuffer,
                                      irpsp->Parameters.DeviceIoControl.InputBufferLength,
                                      irpsp->Parameters.DeviceIoControl.OutputBufferLength,
-- 
2.33.0