mountmgr: Validate the output size for IOCTL_MOUNTMGR_QUERY_POINTS.

dlls/kernel32/tests/volume.c

@@ -1658,7 +1658,7 @@ static void test_mountmgr_query_points(void)
     io.Information = 0xdeadf00d;
     status = NtDeviceIoControlFile( file, NULL, NULL, NULL, &io,
             IOCTL_MOUNTMGR_QUERY_POINTS, input, sizeof(*input), NULL, 0 );
-    todo_wine ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
+    ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
     todo_wine ok(io.Status == 0xdeadf00d, "got status %#x\n", io.Status);
     todo_wine ok(io.Information == 0xdeadf00d, "got information %#Ix\n", io.Information);
 
@@ -1667,10 +1667,10 @@ static void test_mountmgr_query_points(void)
     memset(output, 0xcc, sizeof(*output));
     status = NtDeviceIoControlFile( file, NULL, NULL, NULL, &io,
             IOCTL_MOUNTMGR_QUERY_POINTS, input, sizeof(*input), output, sizeof(*output) - 1 );
-    todo_wine ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
+    ok(status == STATUS_INVALID_PARAMETER, "got %#x\n", status);
     todo_wine ok(io.Status == 0xdeadf00d, "got status %#x\n", io.Status);
     todo_wine ok(io.Information == 0xdeadf00d, "got information %#Ix\n", io.Information);
-    todo_wine ok(output->Size == 0xcccccccc, "got size %u\n", output->Size);
+    ok(output->Size == 0xcccccccc, "got size %u\n", output->Size);
     ok(output->NumberOfMountPoints == 0xcccccccc, "got count %u\n", output->NumberOfMountPoints);
 
     io.Status = 0xdeadf00d;

dlls/mountmgr.sys/mountmgr.c

@@ -168,8 +168,9 @@ static NTSTATUS query_mount_points( void *buff, SIZE_T insize,
     MOUNTMGR_MOUNT_POINTS *info;
     struct mount_point *mount;
 
-    /* sanity checks */
-    if (input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength > insize ||
+    if (insize < sizeof(*input) ||
+        outsize < sizeof(*info) ||
+        input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength > insize ||
         input->UniqueIdOffset + input->UniqueIdLength > insize ||
         input->DeviceNameOffset + input->DeviceNameLength > insize ||
         input->SymbolicLinkNameOffset + input->SymbolicLinkNameLength < input->SymbolicLinkNameOffset ||
@@ -193,7 +194,7 @@ static NTSTATUS query_mount_points( void *buff, SIZE_T insize,
     if (size > outsize)
     {
         info = buff;
-        if (size >= sizeof(info->Size)) info->Size = size;
+        info->Size = size;
         iosb->Information = sizeof(info->Size);
         return STATUS_MORE_ENTRIES;
     }
@@ -907,11 +908,6 @@ static NTSTATUS WINAPI mountmgr_ioctl( DEVICE_OBJECT *device, IRP *irp )
     switch(irpsp->Parameters.DeviceIoControl.IoControlCode)
     {
     case IOCTL_MOUNTMGR_QUERY_POINTS:
-        if (irpsp->Parameters.DeviceIoControl.InputBufferLength < sizeof(MOUNTMGR_MOUNT_POINT))
-        {
-            status = STATUS_INVALID_PARAMETER;
-            break;
-        }
         status = query_mount_points( irp->AssociatedIrp.SystemBuffer,
                                      irpsp->Parameters.DeviceIoControl.InputBufferLength,
                                      irpsp->Parameters.DeviceIoControl.OutputBufferLength,