On 09/06/2011 06:23 AM, Octavian Voicu wrote:
First one is an off-by-one error: RtlGetFullPathName_U, on success, returns
the number of bytes written, without counting the terminating NULL. The
allocated size for ntpath->Buffer didn't account for that NULL byte, so
for UNC paths the NULL byte would be overflown.
Second one is caused by an USHORT overflow in ntpath->MaximumLength.
Calling the function with a path longer than 65535-8 bytes would allocate
a much shorter buffer and lead to a buffer overflow.
--
Steps to reproduce second issue are described here:
http://packetstormsecurity.org/files/view/76170/wine-overflow.txt
Funny fact: Windows had the same USHORT overflow bug:
http://www.securityfocus.com/archive/1/323508
---
dlls/ntdll/path.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/dlls/ntdll/path.c b/dlls/ntdll/path.c
index 3207720..6138fa8 100644
--- a/dlls/ntdll/path.c
+++ b/dlls/ntdll/path.c
@@ -383,8 +383,14 @@ BOOLEAN WINAPI RtlDosPathNameToNtPathName_U(PCWSTR
dos_path,
if (!(ptr = RtlAllocateHeap(GetProcessHeap(), 0, sz))) return FALSE;
sz = RtlGetFullPathName_U(dos_path, sz, ptr, file_part);
}
+ sz += (1 /* NUL */ + 4 /* unc\ */ + 4 /* \??\ */) * sizeof(WCHAR);
+ if (sz> MAXWORD)
+ {
+ if (ptr != local) RtlFreeHeap(GetProcessHeap(), 0, ptr);
+ return FALSE;
+ }
- ntpath->MaximumLength = sz + (4 /* unc\ */ + 4 /* \??\ */) * sizeof(WCHAR);
+ ntpath->MaximumLength = sz;
ntpath->Buffer = RtlAllocateHeap(GetProcessHeap(), 0,
ntpath->MaximumLength);
if (!ntpath->Buffer)
{
The fix is not entirely correct. UNICODE_STRING does not have to have a
terminating \0 character. The code should not use str* functions on not
zero-terminated strings.
Vitaliy