[PATCH 3/8] secur32: Validate output buffer size in schan_InitializeSecurityContextW.

Connor McAdams cmcadams at codeweavers.com
Tue Jan 25 09:32:09 CST 2022 

Signed-off-by: Connor McAdams <cmcadams at codeweavers.com>
---
 dlls/secur32/schannel.c       | 13 ++++++++++++-
 dlls/secur32/tests/schannel.c |  2 --
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c
index 6b699cccce1..fa5577d78e3 100644
--- a/dlls/secur32/schannel.c
+++ b/dlls/secur32/schannel.c
@@ -709,7 +709,7 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
     SecBuffer *buffer;
     SecBuffer alloc_buffer = { 0 };
     struct handshake_params params;
-    int idx;
+    int idx, i;
 
     TRACE("%p %p %s 0x%08x %d %d %p %d %p %p %p %p\n", phCredential, phContext,
      debugstr_w(pszTargetName), fContextReq, Reserved1, TargetDataRep, pInput,
@@ -724,6 +724,17 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW(
         ptsExpiry->HighPart = 0;
     }
 
+    if (!pOutput || !pOutput->cBuffers) return SEC_E_INVALID_TOKEN;
+    for (i = 0; i < pOutput->cBuffers; i++)
+    {
+        ULONG buf_type = pOutput->pBuffers[i].BufferType;
+
+        if ((buf_type != SECBUFFER_TOKEN) && (buf_type != SECBUFFER_ALERT))
+            continue;
+        if (!pOutput->pBuffers[i].cbBuffer && !(fContextReq & ISC_REQ_ALLOCATE_MEMORY))
+            return SEC_E_INSUFFICIENT_MEMORY;
+    }
+
     if (!phContext)
     {
         ULONG_PTR handle;
diff --git a/dlls/secur32/tests/schannel.c b/dlls/secur32/tests/schannel.c
index f72d71a3af3..8b64189bbe4 100644
--- a/dlls/secur32/tests/schannel.c
+++ b/dlls/secur32/tests/schannel.c
@@ -1023,7 +1023,6 @@ todo_wine
     status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
             ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
             0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
-todo_wine
     ok(status == SEC_E_INSUFFICIENT_MEMORY || status == SEC_E_INVALID_TOKEN,
        "Expected SEC_E_INSUFFICIENT_MEMORY or SEC_E_INVALID_TOKEN, got %08x\n", status);
     ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
@@ -1031,7 +1030,6 @@ todo_wine
     status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
             ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
             0, 0, NULL, 0, &context, NULL, &attrs, NULL);
-todo_wine
     ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
 
     buffers[0].pBuffers[0].cbBuffer = buf_size;
-- 
2.25.1

More information about the wine-devel mailing list