webservices: Respect session dictionary size limits on send dictionary.

Signed-off-by: Connor McAdams <cmcadams@codeweavers.com> Signed-off-by: Hans Leidekker <hans@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

webservices: Respect session dictionary size limits on send dictionary.
e2fa62b8 · Connor McAdams · Alexandre Julliard · 36b45c6d · e2fa62b8 · e2fa62b8
Commit e2fa62b8 authored Apr 21, 2022 by Connor McAdams Committed by Alexandre Julliard Apr 21, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 8 deletions

channel.c dlls/webservices/channel.c +15 -6

string.c dlls/webservices/string.c +4 -1

webservices_private.h dlls/webservices/webservices_private.h +3 -1

No files found.
--- a/dlls/webservices/channel.c
+++ b/dlls/webservices/channel.c
@@ -327,8 +327,8 @@ static void reset_channel( struct channel *channel )
    channel->state         = WS_CHANNEL_STATE_CREATED;
    channel->session_state = SESSION_STATE_UNINITIALIZED;
    clear_addr( &channel->addr );
-    clear_dict( &channel->dict_send );
+    init_dict( &channel->dict_send, channel->dict_size );
-    clear_dict( &channel->dict_recv );
+    init_dict( &channel->dict_recv, 0 );
    channel->msg           = NULL;
    channel->read_size     = 0;
    channel->send_size     = 0;
@@ -485,6 +485,7 @@ static HRESULT create_channel( WS_CHANNEL_TYPE type, WS_CHANNEL_BINDING binding,
        channel->u.tcp.socket = -1;
        channel->encoding     = WS_ENCODING_XML_BINARY_SESSION_1;
        channel->dict_size    = 2048;
+        channel->dict_send.str_bytes_max = channel->dict_size;
        break;
    case WS_UDP_CHANNEL_BINDING:
@@ -544,6 +545,7 @@ static HRESULT create_channel( WS_CHANNEL_TYPE type, WS_CHANNEL_BINDING binding,
            }
            channel->dict_size = *(ULONG *)prop->value;
+            channel->dict_send.str_bytes_max = channel->dict_size;
            break;
        default:
@@ -1615,6 +1617,13 @@ static HRESULT CALLBACK dict_cb( void *state, const WS_XML_STRING *str, BOOL *fo
        return S_OK;
    }
+    if (str->length + dict->str_bytes + 1 > dict->str_bytes_max)
+    {
+        WARN( "max string bytes exceeded\n" );
+        *found = FALSE;
+        return hr;
+    }
    if (!(bytes = malloc( str->length ))) return E_OUTOFMEMORY;
    memcpy( bytes, str->bytes, str->length );
    if ((hr = insert_string( dict, bytes, str->length, index, id )) == S_OK)
@@ -2184,12 +2193,12 @@ static HRESULT build_dict( const BYTE *buf, ULONG buflen, struct dictionary *dic
    {
        if ((hr = read_size( &ptr, buflen, &size )) != S_OK)
        {
-            clear_dict( dict );
+            init_dict( dict, 0 );
            return hr;
        }
        if (size > buflen)
        {
-            clear_dict( dict );
+            init_dict( dict, 0 );
            return WS_E_INVALID_FORMAT;
        }
        buflen -= size;
@@ -2208,7 +2217,7 @@ static HRESULT build_dict( const BYTE *buf, ULONG buflen, struct dictionary *dic
        if ((hr = insert_string( dict, bytes, size, index, NULL )) != S_OK)
        {
            free( bytes );
-            clear_dict( dict );
+            init_dict( dict, 0 );
            return hr;
        }
        ptr += size;
@@ -2216,7 +2225,7 @@ static HRESULT build_dict( const BYTE *buf, ULONG buflen, struct dictionary *dic
    return S_OK;
 error:
-    clear_dict( dict );
+    init_dict( dict, 0 );
    return hr;
 }

--- a/dlls/webservices/string.c
+++ b/dlls/webservices/string.c
@@ -131,7 +131,7 @@ static HRESULT grow_dict( struct dictionary *dict, ULONG size )
    return S_OK;
 }
-void clear_dict( struct dictionary *dict )
+void init_dict( struct dictionary *dict, ULONG str_bytes_max )
 {
    ULONG i;
    assert( !dict->dict.isConst );
@@ -145,6 +145,8 @@ void clear_dict( struct dictionary *dict )
    dict->sequence = NULL;
    dict->current_sequence = 0;
    dict->size = 0;
+    dict->str_bytes = 0;
+    dict->str_bytes_max = str_bytes_max;
 }
 HRESULT insert_string( struct dictionary *dict, unsigned char *data, ULONG len, int i, ULONG *ret_id )
@@ -162,6 +164,7 @@ HRESULT insert_string( struct dictionary *dict, unsigned char *data, ULONG len, 
    dict->dict.strings[id].dictionary = &dict->dict;
    dict->dict.strings[id].id         = id;
    dict->dict.stringCount++;
+    dict->str_bytes += len + 1;
    dict->sequence[id] = dict->current_sequence;

--- a/dlls/webservices/webservices_private.h
+++ b/dlls/webservices/webservices_private.h
@@ -49,13 +49,15 @@ struct dictionary
    ULONG              size;
    ULONG              current_sequence;
    ULONG             *sequence;
+    ULONG              str_bytes;
+    ULONG              str_bytes_max;
 };
 extern struct dictionary dict_builtin DECLSPEC_HIDDEN;
 extern const struct dictionary dict_builtin_static DECLSPEC_HIDDEN;
 int find_string( const struct dictionary *, const unsigned char *, ULONG, ULONG * ) DECLSPEC_HIDDEN;
 HRESULT insert_string( struct dictionary *, unsigned char *, ULONG, int, ULONG * ) DECLSPEC_HIDDEN;
-void clear_dict( struct dictionary * ) DECLSPEC_HIDDEN;
+void init_dict( struct dictionary *, ULONG ) DECLSPEC_HIDDEN;
 HRESULT writer_set_lookup( WS_XML_WRITER *, BOOL ) DECLSPEC_HIDDEN;
 HRESULT writer_set_dict_callback( WS_XML_WRITER *, WS_DYNAMIC_STRING_CALLBACK, void * ) DECLSPEC_HIDDEN;