Commit ef88637f authored by Alexandre Julliard's avatar Alexandre Julliard

Made request tracing more robust against bogus lengths.

parent f35cdc8e
......@@ -277,5 +277,6 @@ DECL_HANDLER(find_atom)
/* get global atom name */
DECL_HANDLER(get_atom_name)
{
req->name[0] = 0;
req->count = get_atom_name( global_table, req->atom, req->name );
}
......@@ -439,7 +439,7 @@ DECL_HANDLER(open_console)
/* set info about a console (output only) */
DECL_HANDLER(set_console_info)
{
size_t len = get_req_strlen( req->title );
size_t len = get_req_strlen( req, req->title );
set_console_info( req->handle, req, req->title, len );
}
......@@ -447,13 +447,14 @@ DECL_HANDLER(set_console_info)
DECL_HANDLER(get_console_info)
{
struct screen_buffer *console;
req->title[0] = 0;
if ((console = (struct screen_buffer *)get_handle_obj( current->process, req->handle,
GENERIC_READ, &screen_buffer_ops )))
{
req->cursor_size = console->cursor_size;
req->cursor_visible = console->cursor_visible;
req->pid = console->pid;
strcpy( req->title, console->title ? console->title : "" );
if (console->title) strcpy( req->title, console->title );
release_object( console );
}
}
......@@ -496,7 +497,7 @@ DECL_HANDLER(set_console_mode)
/* add input records to a console input queue */
DECL_HANDLER(write_console_input)
{
int max = get_req_size( req + 1, sizeof(INPUT_RECORD) );
int max = get_req_size( req, req + 1, sizeof(INPUT_RECORD) );
int count = req->count;
if (count > max) count = max;
......@@ -506,7 +507,7 @@ DECL_HANDLER(write_console_input)
/* fetch input records from a console input queue */
DECL_HANDLER(read_console_input)
{
int max = get_req_size( req + 1, sizeof(INPUT_RECORD) );
int max = get_req_size( req, req + 1, sizeof(INPUT_RECORD) );
req->read = read_console_input( req->handle, req->count, (INPUT_RECORD *)(req + 1),
max, req->flush );
}
......@@ -114,7 +114,7 @@ static int event_satisfied( struct object *obj, struct thread *thread )
/* create an event */
DECL_HANDLER(create_event)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
struct event *event;
req->handle = -1;
......@@ -128,7 +128,7 @@ DECL_HANDLER(create_event)
/* open a handle to an event */
DECL_HANDLER(open_event)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
req->handle = open_object( req->name, len, &event_ops, req->access, req->inherit );
}
......
......@@ -450,7 +450,7 @@ static int file_unlock( struct file *file, int offset_high, int offset_low,
/* create a file */
DECL_HANDLER(create_file)
{
size_t len = get_req_strlen( req->name );
size_t len = get_req_strlen( req, req->name );
struct file *file;
req->handle = -1;
......
......@@ -160,7 +160,7 @@ int get_page_size(void)
/* create a file mapping */
DECL_HANDLER(create_mapping)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
struct object *obj;
req->handle = -1;
......@@ -177,7 +177,7 @@ DECL_HANDLER(create_mapping)
/* open a handle to a mapping */
DECL_HANDLER(open_mapping)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
req->handle = open_object( req->name, len, &mapping_ops, req->access, req->inherit );
}
......
......@@ -139,7 +139,7 @@ static void mutex_destroy( struct object *obj )
/* create a mutex */
DECL_HANDLER(create_mutex)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
struct mutex *mutex;
req->handle = -1;
......@@ -153,7 +153,7 @@ DECL_HANDLER(create_mutex)
/* open a handle to a mutex */
DECL_HANDLER(open_mutex)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
req->handle = open_object( req->name, len, &mutex_ops, req->access, req->inherit );
}
......
......@@ -578,7 +578,7 @@ struct process_snapshot *process_snap( int *count )
/* create a new process */
DECL_HANDLER(new_process)
{
size_t len = get_req_strlen( req->cmdline );
size_t len = get_req_strlen( req, req->cmdline );
struct thread *thread;
int sock[2];
......@@ -722,7 +722,7 @@ DECL_HANDLER(read_process_memory)
if ((process = get_process_from_handle( req->handle, PROCESS_VM_READ )))
{
read_process_memory( process, req->addr, req->len,
get_req_size( req->data, sizeof(int) ), req->data );
get_req_size( req, req->data, sizeof(int) ), req->data );
release_object( process );
}
}
......@@ -734,7 +734,8 @@ DECL_HANDLER(write_process_memory)
if ((process = get_process_from_handle( req->handle, PROCESS_VM_WRITE )))
{
write_process_memory( process, req->addr, req->len, get_req_size( req->data, sizeof(int) ),
write_process_memory( process, req->addr, req->len,
get_req_size( req, req->data, sizeof(int) ),
req->first_mask, req->last_mask, req->data );
release_object( process );
}
......
......@@ -308,10 +308,10 @@ static WCHAR *get_path_token( const WCHAR *initpath, size_t maxlen )
}
/* duplicate a Unicode string from the request buffer */
static WCHAR *req_strdupW( const WCHAR *str )
static WCHAR *req_strdupW( const void *req, const WCHAR *str )
{
WCHAR *name;
size_t len = get_req_strlenW( str );
size_t len = get_req_strlenW( req, str );
if ((name = mem_alloc( (len + 1) * sizeof(WCHAR) )) != NULL)
{
memcpy( name, str, len * sizeof(WCHAR) );
......@@ -741,7 +741,6 @@ static void get_value( struct key *key, WCHAR *name, int *type, int *len, void *
else
{
*type = -1;
*len = 0;
set_error( STATUS_OBJECT_NAME_NOT_FOUND );
}
}
......@@ -751,12 +750,7 @@ static void enum_value( struct key *key, int i, WCHAR *name, int *type, int *len
{
struct key_value *value;
if (i < 0 || i > key->last_value)
{
name[0] = 0;
*len = 0;
set_error( STATUS_NO_MORE_ENTRIES );
}
if (i < 0 || i > key->last_value) set_error( STATUS_NO_MORE_ENTRIES );
else
{
value = &key->values[i];
......@@ -1378,7 +1372,7 @@ DECL_HANDLER(create_key)
req->hkey = -1;
if ((parent = get_hkey_obj( req->parent, KEY_CREATE_SUB_KEY )))
{
if ((class = req_strdupW( req->class )))
if ((class = req_strdupW( req, req->class )))
{
if ((key = create_key( parent, req->name, sizeof(req->name), class, req->options,
req->modif, &req->created )))
......@@ -1436,6 +1430,7 @@ DECL_HANDLER(enum_key)
{
struct key *key;
req->name[0] = req->class[0] = 0;
if ((key = get_hkey_obj( req->hkey, KEY_ENUMERATE_SUB_KEYS )))
{
enum_key( key, req->index, req->name, req->class, &req->modif );
......@@ -1448,6 +1443,7 @@ DECL_HANDLER(query_key_info)
{
struct key *key;
req->name[0] = req->class[0] = 0;
if ((key = get_hkey_obj( req->hkey, KEY_QUERY_VALUE )))
{
query_key( key, req );
......@@ -1459,7 +1455,7 @@ DECL_HANDLER(query_key_info)
DECL_HANDLER(set_key_value)
{
struct key *key;
int max = get_req_size( req->data, sizeof(req->data[0]) );
int max = get_req_size( req, req->data, sizeof(req->data[0]) );
int datalen = req->len;
if (datalen > max)
{
......@@ -1478,6 +1474,7 @@ DECL_HANDLER(get_key_value)
{
struct key *key;
req->len = 0;
if ((key = get_hkey_obj( req->hkey, KEY_QUERY_VALUE )))
{
get_value( key, copy_path( req->name ), &req->type, &req->len, req->data );
......@@ -1490,6 +1487,8 @@ DECL_HANDLER(enum_key_value)
{
struct key *key;
req->len = 0;
req->name[0] = 0;
if ((key = get_hkey_obj( req->hkey, KEY_QUERY_VALUE )))
{
enum_value( key, req->index, req->name, &req->type, &req->len, req->data );
......@@ -1505,7 +1504,7 @@ DECL_HANDLER(delete_key_value)
if ((key = get_hkey_obj( req->hkey, KEY_SET_VALUE )))
{
if ((name = req_strdupW( req->name )))
if ((name = req_strdupW( req, req->name )))
{
delete_value( key, name );
free( name );
......
......@@ -46,24 +46,24 @@ static inline void *get_req_ptr( struct thread *thread )
}
/* get the remaining size in the request buffer for object of a given size */
static inline int get_req_size( const void *ptr, size_t typesize )
static inline int get_req_size( const void *req, const void *ptr, size_t typesize )
{
return ((char *)current->buffer + MAX_REQUEST_LENGTH - (char *)ptr) / typesize;
return ((char *)req + MAX_REQUEST_LENGTH - (char *)ptr) / typesize;
}
/* get the length of a request string, without going past the end of the request */
static inline size_t get_req_strlen( const char *str )
static inline size_t get_req_strlen( const void *req, const char *str )
{
const char *p = str;
while (*p && (p < (char *)current->buffer + MAX_REQUEST_LENGTH - 1)) p++;
while (*p && (p < (char *)req + MAX_REQUEST_LENGTH - 1)) p++;
return p - str;
}
/* same as above for Unicode */
static inline size_t get_req_strlenW( const WCHAR *str )
static inline size_t get_req_strlenW( const void *req, const WCHAR *str )
{
const WCHAR *p = str;
while (*p && ((char *)p < (char *)current->buffer + MAX_REQUEST_LENGTH - 2)) p++;
while (*p && (p < (WCHAR *)req + MAX_REQUEST_LENGTH/sizeof(WCHAR) - 1)) p++;
return p - str;
}
......
......@@ -122,7 +122,7 @@ static int semaphore_satisfied( struct object *obj, struct thread *thread )
/* create a semaphore */
DECL_HANDLER(create_semaphore)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
struct semaphore *sem;
req->handle = -1;
......@@ -136,7 +136,7 @@ DECL_HANDLER(create_semaphore)
/* open a handle to a semaphore */
DECL_HANDLER(open_semaphore)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
req->handle = open_object( req->name, len, &semaphore_ops, req->access, req->inherit );
}
......
......@@ -164,7 +164,7 @@ static void timer_destroy( struct object *obj )
/* create a timer */
DECL_HANDLER(create_timer)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
struct timer *timer;
req->handle = -1;
......@@ -178,7 +178,7 @@ DECL_HANDLER(create_timer)
/* open a handle to a timer */
DECL_HANDLER(open_timer)
{
size_t len = get_req_strlenW( req->name );
size_t len = get_req_strlenW( req, req->name );
req->handle = open_object( req->name, len, &timer_ops, req->access, req->inherit );
}
......
......@@ -19,7 +19,7 @@
"debug_event_t" => "&dump_debug_event_t",
"CONTEXT" => "&dump_context",
"EXCEPTION_RECORD" => "&dump_exc_record",
"char[1]" => "\\\"%s\\\"",
"char[1]" => "&dump_string",
"WCHAR[1]" => "&dump_unicode_string"
);
......@@ -139,8 +139,8 @@ sub DO_DUMP_FUNC
{
my $func = $1;
push @trace_lines, " fprintf( stderr, \" $var=\" );\n";
if ($type =~ /[1]/) { push @trace_lines, " $func( req->$var );\n"; }
else { push @trace_lines, " $func( &req->$var );\n"; }
if ($type =~ /[1]/) { push @trace_lines, " $func( req, req->$var );\n"; }
else { push @trace_lines, " $func( req, &req->$var );\n"; }
push @trace_lines, " fprintf( stderr, \",\" );\n" if ($#_ > 0);
}
else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment