[PATCH 3/8] secur32: Validate output buffer size in schan_InitializeSecurityContextW.
Connor McAdams
cmcadams at codeweavers.com
Tue Jan 25 09:32:09 CST 2022
Signed-off-by: Connor McAdams <cmcadams at codeweavers.com>
---
dlls/secur32/schannel.c | 13 ++++++++++++-
dlls/secur32/tests/schannel.c | 2 --
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c
index 6b699cccce1..fa5577d78e3 100644
--- a/dlls/secur32/schannel.c
+++ b/dlls/secur32/schannel.c
@@ -709,7 +709,7 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
SecBuffer *buffer;
SecBuffer alloc_buffer = { 0 };
struct handshake_params params;
- int idx;
+ int idx, i;
TRACE("%p %p %s 0x%08x %d %d %p %d %p %p %p %p\n", phCredential, phContext,
debugstr_w(pszTargetName), fContextReq, Reserved1, TargetDataRep, pInput,
@@ -724,6 +724,17 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
ptsExpiry->HighPart = 0;
}
+ if (!pOutput || !pOutput->cBuffers) return SEC_E_INVALID_TOKEN;
+ for (i = 0; i < pOutput->cBuffers; i++)
+ {
+ ULONG buf_type = pOutput->pBuffers[i].BufferType;
+
+ if ((buf_type != SECBUFFER_TOKEN) && (buf_type != SECBUFFER_ALERT))
+ continue;
+ if (!pOutput->pBuffers[i].cbBuffer && !(fContextReq & ISC_REQ_ALLOCATE_MEMORY))
+ return SEC_E_INSUFFICIENT_MEMORY;
+ }
+
if (!phContext)
{
ULONG_PTR handle;
diff --git a/dlls/secur32/tests/schannel.c b/dlls/secur32/tests/schannel.c
index f72d71a3af3..8b64189bbe4 100644
--- a/dlls/secur32/tests/schannel.c
+++ b/dlls/secur32/tests/schannel.c
@@ -1023,7 +1023,6 @@ todo_wine
status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
-todo_wine
ok(status == SEC_E_INSUFFICIENT_MEMORY || status == SEC_E_INVALID_TOKEN,
"Expected SEC_E_INSUFFICIENT_MEMORY or SEC_E_INVALID_TOKEN, got %08x\n", status);
ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
@@ -1031,7 +1030,6 @@ todo_wine
status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
0, 0, NULL, 0, &context, NULL, &attrs, NULL);
-todo_wine
ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
buffers[0].pBuffers[0].cbBuffer = buf_size;
--
2.25.1
More information about the wine-devel
mailing list