[ros-diffs] [rmessiant] 50158: [SCSIPORT] - ScsiPortDeviceControl: Slight improvement to buffer length validation. Return failure status on a handful of failure cases. Prevents buffer overruns in user code.

rmessiant Mon, 27 Dec 2010 02:15:50 -0800

Author: rmessiant
Date: Mon Dec 27 10:15:36 2010
New Revision: 50158

URL: http://svn.reactos.org/svn/reactos?rev=50158&view=rev
Log:
[SCSIPORT]
- ScsiPortDeviceControl: Slight improvement to buffer length validation. Return 
failure status on a handful of failure cases. Prevents buffer overruns in user 
code.


Modified:
    trunk/reactos/drivers/storage/scsiport/scsiport.c

Modified: trunk/reactos/drivers/storage/scsiport/scsiport.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/storage/scsiport/scsiport.c?rev=50158&r1=50157&r2=50158&view=diff
==============================================================================
--- trunk/reactos/drivers/storage/scsiport/scsiport.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/storage/scsiport/scsiport.c [iso-8859-1] Mon Dec 27 
10:15:36 2010
@@ -2809,7 +2809,8 @@
 {
     PIO_STACK_LOCATION Stack;
     PSCSI_PORT_DEVICE_EXTENSION DeviceExtension;
-    NTSTATUS Status = STATUS_SUCCESS;
+    PDUMP_POINTERS DumpPointers;
+    NTSTATUS Status;
 
     DPRINT("ScsiPortDeviceControl()\n");
 
@@ -2821,15 +2822,22 @@
     switch (Stack->Parameters.DeviceIoControl.IoControlCode)
     {
       case IOCTL_SCSI_GET_DUMP_POINTERS:
-       {
-         PDUMP_POINTERS DumpPointers;
-         DPRINT("  IOCTL_SCSI_GET_DUMP_POINTERS\n");
-         DumpPointers = (PDUMP_POINTERS)Irp->AssociatedIrp.SystemBuffer;
-         DumpPointers->DeviceObject = DeviceObject;
-
-         Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
-       }
-       break;
+        DPRINT("  IOCTL_SCSI_GET_DUMP_POINTERS\n");
+
+        if (Stack->Parameters.DeviceIoControl.OutputBufferLength < 
sizeof(DUMP_POINTERS))
+        {
+          Status = STATUS_BUFFER_OVERFLOW;
+          Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
+          break;
+        }
+
+        DumpPointers = Irp->AssociatedIrp.SystemBuffer;
+        DumpPointers->DeviceObject = DeviceObject;
+        /* More data.. ? */
+
+        Status = STATUS_SUCCESS;
+        Irp->IoStatus.Information = sizeof(DUMP_POINTERS);
+        break;
 
       case IOCTL_SCSI_GET_CAPABILITIES:
         DPRINT("  IOCTL_SCSI_GET_CAPABILITIES\n");
@@ -2865,16 +2873,18 @@
 
       case IOCTL_SCSI_MINIPORT:
           DPRINT1("IOCTL_SCSI_MINIPORT unimplemented!\n");
+          Status = STATUS_NOT_IMPLEMENTED;
           break;
 
       case IOCTL_SCSI_PASS_THROUGH:
           DPRINT1("IOCTL_SCSI_PASS_THROUGH unimplemented!\n");
+          Status = STATUS_NOT_IMPLEMENTED;
           break;
 
       default:
-       DPRINT1("  unknown ioctl code: 0x%lX\n",
-              Stack->Parameters.DeviceIoControl.IoControlCode);
-       break;
+          DPRINT1("  unknown ioctl code: 0x%lX\n", 
Stack->Parameters.DeviceIoControl.IoControlCode);
+          Status = STATUS_NOT_IMPLEMENTED;
+          break;
     }
 
     /* Complete the request with the given status */

[ros-diffs] [rmessiant] 50158: [SCSIPORT] - ScsiPortDeviceControl: Slight improvement to buffer length validation. Return failure status on a handful of failure cases. Prevents buffer overruns in user code.

Reply via email to