From: Nikolay Sivov Subject: rpcrt4: Fix argument check in MesEncodeFixedBufferHandleCreate() Message-Id: <54F5A736.5030805@codeweavers.com> Date: Tue, 03 Mar 2015 15:21:10 +0300 --- From 2f97ff70822e5e4183418500ffbd4479875266a9 Mon Sep 17 00:00:00 2001 From: Nikolay Sivov Date: Tue, 3 Mar 2015 15:18:58 +0300 Subject: [PATCH] rpcrt4: Fix argument check in MesEncodeFixedBufferHandleCreate() --- dlls/rpcrt4/ndr_es.c | 12 ++++++++++++ dlls/rpcrt4/tests/ndr_marshall.c | 39 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/dlls/rpcrt4/ndr_es.c b/dlls/rpcrt4/ndr_es.c index fa3fe7b..73bd867 100644 --- a/dlls/rpcrt4/ndr_es.c +++ b/dlls/rpcrt4/ndr_es.c @@ -42,6 +42,7 @@ static inline void init_MIDL_ES_MESSAGE(MIDL_ES_MESSAGE *pEsMsg) /* even if we are unmarshalling, as we don't want pointers to be pointed * to buffer memory */ pEsMsg->StubMsg.IsClient = TRUE; + pEsMsg->MesVersion = 1; } /*********************************************************************** @@ -142,6 +143,17 @@ RPC_STATUS RPC_ENTRY MesEncodeFixedBufferHandleCreate( TRACE("(%p, %d, %p, %p)\n", Buffer, BufferSize, pEncodedSize, pHandle); + if (!Buffer) + return RPC_S_INVALID_ARG; + + if (((ULONG_PTR)Buffer % 8) != 0) + return RPC_X_INVALID_BUFFER; + + if (!pEncodedSize) + return RPC_S_INVALID_ARG; + + /* FIXME: check BufferSize too */ + pEsMsg = HeapAlloc(GetProcessHeap(), 0, sizeof(*pEsMsg)); if (!pEsMsg) return RPC_S_OUT_OF_MEMORY; diff --git a/dlls/rpcrt4/tests/ndr_marshall.c b/dlls/rpcrt4/tests/ndr_marshall.c index 1d8a64d..fd1cbbb 100644 --- a/dlls/rpcrt4/tests/ndr_marshall.c +++ b/dlls/rpcrt4/tests/ndr_marshall.c @@ -34,7 +34,7 @@ #include "rpc.h" #include "rpcdce.h" #include "rpcproxy.h" - +#include "midles.h" static int my_alloc_called; static int my_free_called; @@ -2405,6 +2405,42 @@ static void test_NdrGetUserMarshalInfo(void) "NdrGetUserMarshalInfo should have failed with RPC_S_INVALID_ARG instead of %d\n", status); } +static void test_MesEncodeFixedBufferHandleCreate(void) +{ + ULONG encoded_size; + RPC_STATUS status; + handle_t handle; + char *buffer; + + status = MesEncodeFixedBufferHandleCreate(NULL, 0, NULL, NULL); + ok(status == RPC_S_INVALID_ARG, "got %d\n", status); + + status = MesEncodeFixedBufferHandleCreate(NULL, 0, NULL, &handle); + ok(status == RPC_S_INVALID_ARG, "got %d\n", status); + + status = MesEncodeFixedBufferHandleCreate((char*)0xdeadbeef, 0, NULL, &handle); + ok(status == RPC_X_INVALID_BUFFER, "got %d\n", status); + + buffer = (void*)((0xdeadbeef + 7) & ~7); + status = MesEncodeFixedBufferHandleCreate(buffer, 0, NULL, &handle); + ok(status == RPC_S_INVALID_ARG, "got %d\n", status); + + status = MesEncodeFixedBufferHandleCreate(buffer, 0, &encoded_size, &handle); +todo_wine + ok(status == RPC_S_INVALID_ARG, "got %d\n", status); +if (status == RPC_S_OK) + MesHandleFree(handle); + + status = MesEncodeFixedBufferHandleCreate(buffer, 32, NULL, &handle); + ok(status == RPC_S_INVALID_ARG, "got %d\n", status); + + status = MesEncodeFixedBufferHandleCreate(buffer, 32, &encoded_size, &handle); + ok(status == RPC_S_OK, "got %d\n", status); + + status = MesHandleFree(handle); + ok(status == RPC_S_OK, "got %d\n", status); +} + START_TEST( ndr_marshall ) { determine_pointer_marshalling_style(); @@ -2425,4 +2461,5 @@ START_TEST( ndr_marshall ) test_ndr_buffer(); test_NdrMapCommAndFaultStatus(); test_NdrGetUserMarshalInfo(); + test_MesEncodeFixedBufferHandleCreate(); } -- 2.1.4