From: Connor McAdams Subject: [PATCH 3/8] secur32: Validate output buffer size in schan_InitializeSecurityContextW. Message-Id: <20220125153214.1402570-3-cmcadams@codeweavers.com> Date: Tue, 25 Jan 2022 10:32:09 -0500 In-Reply-To: <20220125153214.1402570-1-cmcadams@codeweavers.com> References: <20220125153214.1402570-1-cmcadams@codeweavers.com> Signed-off-by: Connor McAdams --- dlls/secur32/schannel.c | 13 ++++++++++++- dlls/secur32/tests/schannel.c | 2 -- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c index 6b699cccce1..fa5577d78e3 100644 --- a/dlls/secur32/schannel.c +++ b/dlls/secur32/schannel.c @@ -709,7 +709,7 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW( SecBuffer *buffer; SecBuffer alloc_buffer = { 0 }; struct handshake_params params; - int idx; + int idx, i; TRACE("%p %p %s 0x%08x %d %d %p %d %p %p %p %p\n", phCredential, phContext, debugstr_w(pszTargetName), fContextReq, Reserved1, TargetDataRep, pInput, @@ -724,6 +724,17 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextW( ptsExpiry->HighPart = 0; } + if (!pOutput || !pOutput->cBuffers) return SEC_E_INVALID_TOKEN; + for (i = 0; i < pOutput->cBuffers; i++) + { + ULONG buf_type = pOutput->pBuffers[i].BufferType; + + if ((buf_type != SECBUFFER_TOKEN) && (buf_type != SECBUFFER_ALERT)) + continue; + if (!pOutput->pBuffers[i].cbBuffer && !(fContextReq & ISC_REQ_ALLOCATE_MEMORY)) + return SEC_E_INSUFFICIENT_MEMORY; + } + if (!phContext) { ULONG_PTR handle; diff --git a/dlls/secur32/tests/schannel.c b/dlls/secur32/tests/schannel.c index f72d71a3af3..8b64189bbe4 100644 --- a/dlls/secur32/tests/schannel.c +++ b/dlls/secur32/tests/schannel.c @@ -1023,7 +1023,6 @@ todo_wine status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost", ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM, 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL); -todo_wine ok(status == SEC_E_INSUFFICIENT_MEMORY || status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INSUFFICIENT_MEMORY or SEC_E_INVALID_TOKEN, got %08x\n", status); ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n"); @@ -1031,7 +1030,6 @@ todo_wine status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost", ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM, 0, 0, NULL, 0, &context, NULL, &attrs, NULL); -todo_wine ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status); buffers[0].pBuffers[0].cbBuffer = buf_size; -- 2.25.1