server: Fix constraints on the length of NT object names.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>

server: Fix constraints on the length of NT object names.
cd6e9c38 · Alexandre Julliard · b99d1525 · cd6e9c38 · cd6e9c38 · cd6e9c38
Commit cd6e9c38 authored Jan 19, 2016 by Alexandre Julliard
Showing with 12 additions and 15 deletions

reg.c dlls/ntdll/reg.c +1 -8

sync.c dlls/ntdll/sync.c +3 -3

om.c dlls/ntdll/tests/om.c +0 -0

registry.c server/registry.c +2 -2

request.c server/request.c +6 -2

No files found.
--- a/dlls/ntdll/reg.c
+++ b/dlls/ntdll/reg.c
@@ -42,8 +42,6 @@

 WINE_DEFAULT_DEBUG_CHANNEL(reg);

-/* maximum length of a key name in bytes (without terminating null) */
-#define MAX_NAME_LENGTH  (255 * sizeof(WCHAR))
 /* maximum length of a value name in bytes (without terminating null) */
 #define MAX_VALUE_LENGTH (16383 * sizeof(WCHAR))

@@ -61,7 +59,6 @@ NTSTATUS WINAPI NtCreateKey( PHANDLE retkey, ACCESS_MASK access, const OBJECT_AT

    if (!retkey || !attr) return STATUS_ACCESS_VIOLATION;
    if (attr->Length > sizeof(OBJECT_ATTRIBUTES)) return STATUS_INVALID_PARAMETER;
-    if (attr->ObjectName->Length > MAX_NAME_LENGTH) return STATUS_BUFFER_OVERFLOW;

    TRACE( "(%p,%s,%s,%x,%x,%p)\n", attr->RootDirectory, debugstr_us(attr->ObjectName),
           debugstr_us(class), options, access, retkey );
@@ -130,24 +127,20 @@ NTSTATUS WINAPI RtlpNtCreateKey( PHANDLE retkey, ACCESS_MASK access, const OBJEC
 NTSTATUS WINAPI NtOpenKeyEx( PHANDLE retkey, ACCESS_MASK access, const OBJECT_ATTRIBUTES *attr, ULONG options )
 {
    NTSTATUS ret;
-    DWORD len;

    if (!retkey || !attr) return STATUS_ACCESS_VIOLATION;
    if (attr->Length > sizeof(OBJECT_ATTRIBUTES)) return STATUS_INVALID_PARAMETER;
-    len = attr->ObjectName->Length;
    TRACE( "(%p,%s,%x,%p)\n", attr->RootDirectory,
           debugstr_us(attr->ObjectName), access, retkey );
    if (options)
        FIXME("options %x not implemented\n", options);

-    if (len > MAX_NAME_LENGTH) return STATUS_BUFFER_OVERFLOW;
-
    SERVER_START_REQ( open_key )
    {
        req->parent     = wine_server_obj_handle( attr->RootDirectory );
        req->access     = access;
        req->attributes = attr->Attributes;
-        wine_server_add_data( req, attr->ObjectName->Buffer, len );
+        wine_server_add_data( req, attr->ObjectName->Buffer, attr->ObjectName->Length );
        ret = wine_server_call( req );
        *retkey = wine_server_ptr_handle( reply->hkey );
    }

--- a/dlls/ntdll/sync.c
+++ b/dlls/ntdll/sync.c
@@ -107,8 +107,8 @@ NTSTATUS alloc_object_attributes( const OBJECT_ATTRIBUTES *attr, struct object_a

    if (attr->ObjectName)
    {
-        if (attr->ObjectName->Length >= MAX_PATH * sizeof(WCHAR)) return STATUS_NAME_TOO_LONG;
-        len += attr->ObjectName->Length & ~(sizeof(WCHAR) - 1);
+        if (attr->ObjectName->Length & (sizeof(WCHAR) - 1)) return STATUS_OBJECT_NAME_INVALID;
+        len += attr->ObjectName->Length;
    }

    *ret = RtlAllocateHeap( GetProcessHeap(), HEAP_ZERO_MEMORY, len );
@@ -142,7 +142,7 @@ NTSTATUS alloc_object_attributes( const OBJECT_ATTRIBUTES *attr, struct object_a
    if (attr->ObjectName)
    {
        unsigned char *ptr = (unsigned char *)(*ret + 1) + (*ret)->sd_len;
-        (*ret)->name_len = attr->ObjectName->Length & ~(sizeof(WCHAR) - 1);
+        (*ret)->name_len = attr->ObjectName->Length;
        memcpy( ptr, attr->ObjectName->Buffer, (*ret)->name_len );
    }


--- a/dlls/ntdll/tests/om.c
+++ b/dlls/ntdll/tests/om.c
--- a/server/registry.c
+++ b/server/registry.c
@@ -101,7 +101,7 @@ struct key_value
 #define MIN_SUBKEYS  8   /* min. number of allocated subkeys per key */
 #define MIN_VALUES   8   /* min. number of allocated values per key */

-#define MAX_NAME_LEN  255    /* max. length of a key name */
+#define MAX_NAME_LEN  256    /* max. length of a key name */
 #define MAX_VALUE_LEN 16383  /* max. length of a value name */

 /* the root of the registry tree */
@@ -575,7 +575,7 @@ static struct key *alloc_subkey( struct key *parent, const struct unicode_str *n

    if (name->len > MAX_NAME_LEN * sizeof(WCHAR))
    {
-        set_error( STATUS_NAME_TOO_LONG );
+        set_error( STATUS_INVALID_PARAMETER );
        return NULL;
    }
    if (parent->last_subkey + 1 == parent->nb_subkeys)

--- a/server/request.c
+++ b/server/request.c
@@ -191,9 +191,13 @@ const struct object_attributes *get_req_object_attributes( const struct security
        set_error( STATUS_INVALID_SECURITY_DESCR );
        return NULL;
    }
-
+    if ((attr->name_len & (sizeof(WCHAR) - 1)) || attr->name_len >= 65534)
+    {
+        set_error( STATUS_OBJECT_NAME_INVALID );
+        return NULL;
+    }
    *sd = attr->sd_len ? (const struct security_descriptor *)(attr + 1) : NULL;
-    name->len = (attr->name_len / sizeof(WCHAR)) * sizeof(WCHAR);
+    name->len = attr->name_len;
    name->str = (const WCHAR *)(attr + 1) + attr->sd_len / sizeof(WCHAR);
    return attr;
 }