Sebastian Lackner : advapi32: Validate received service name.

10 Aug 2016

Module: wine
Branch: master
Commit: 7a200887bb9a455b83b462060b290e6a5a9db225
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=7a200887bb9a455b83b462060b...

Author: Sebastian Lackner <sebastian(a)fds-team.de>
Date:   Wed Aug 10 08:31:34 2016 +0200

advapi32: Validate received service name.

Signed-off-by: Sebastian Lackner <sebastian(a)fds-team.de>
Signed-off-by: Alexandre Julliard <julliard(a)winehq.org>

---

 dlls/advapi32/service.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/dlls/advapi32/service.c b/dlls/advapi32/service.c
index 0eb0a47..273e7c7 100644
--- a/dlls/advapi32/service.c
+++ b/dlls/advapi32/service.c
@@ -424,7 +424,8 @@ static DWORD WINAPI service_control_dispatcher(LPVOID arg)
     {
         service_data *service;
         service_start_info info;
-        WCHAR *data = NULL;
+        BYTE *data = NULL;
+        WCHAR *name;
         BOOL r;
         DWORD data_size = 0, count, result;
 
@@ -460,16 +461,24 @@ static DWORD WINAPI service_control_dispatcher(LPVOID arg)
             }
         }
 
-        /* find the service */
+        /* validate service name */
+        name = (WCHAR *)data;
+        if (!info.name_size || data_size < info.name_size * sizeof(WCHAR) || name[info.name_size - 1])
+        {
+            ERR( "got request without valid service name\n" );
+            result = ERROR_INVALID_PARAMETER;
+            goto done;
+        }
 
-        if (!(service = find_service_by_name( data )))
+        /* find the service */
+        if (!(service = find_service_by_name( name )))
         {
-            FIXME( "got request %u for unknown service %s\n", info.cmd, debugstr_w(data));
+            FIXME( "got request %u for unknown service %s\n", info.cmd, debugstr_w(name));
             result = ERROR_INVALID_PARAMETER;
             goto done;
         }
 
-        TRACE( "got request %u for service %s\n", info.cmd, debugstr_w(data) );
+        TRACE( "got request %u for service %s\n", info.cmd, debugstr_w(name) );
 
         /* handle the request */
         switch (info.cmd)
@@ -477,12 +486,12 @@ static DWORD WINAPI service_control_dispatcher(LPVOID arg)
         case WINESERV_STARTINFO:
             if (!service->handle)
             {
-                if (!(service->handle = OpenServiceW( disp->manager, data, SERVICE_SET_STATUS )) ||
-                    !(service->full_access_handle = OpenServiceW( disp->manager, data,
+                if (!(service->handle = OpenServiceW( disp->manager, name, SERVICE_SET_STATUS )) ||
+                    !(service->full_access_handle = OpenServiceW( disp->manager, name,
                             GENERIC_READ|GENERIC_WRITE )))
-                    FIXME( "failed to open service %s\n", debugstr_w(data) );
+                    FIXME( "failed to open service %s\n", debugstr_w(name) );
             }
-            result = service_handle_start(service, data, data_size / sizeof(WCHAR));
+            result = service_handle_start(service, (WCHAR *)data, data_size / sizeof(WCHAR));
             break;
         case WINESERV_SENDCONTROL:
             result = service_handle_control(service, info.control);

    