[PATCH v2 0/2] MR6548: nsiproxy: Only set the connection count from tcp_conns_enumerate_all/udp_endpoint_enumerate_all when appropriate.
Fixes heap corruption downstream in NsiEnumerateObjectsAllParametersEx. Fixes regressions from 9085bc7b87f and a3f737f6143. --- I missed this piece of logic in MR !6399. The original line that implemented it is this: https://gitlab.winehq.org/wine/wine/-/blob/1d05064e747f9998fd705345659030e60... -- v2: nsiproxy: Only set the connection count from udp_endpoint_enumerate_all when appropriate. https://gitlab.winehq.org/wine/wine/-/merge_requests/6548
From: Tim Clem <tclem(a)codeweavers.com> Fixes heap corruption downstream in NsiEnumerateObjectsAllParametersEx. Fixes a regression from 9085bc7b87f. --- dlls/nsiproxy.sys/tcp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dlls/nsiproxy.sys/tcp.c b/dlls/nsiproxy.sys/tcp.c index 7a3004b1a97..2c55db30523 100644 --- a/dlls/nsiproxy.sys/tcp.c +++ b/dlls/nsiproxy.sys/tcp.c @@ -322,8 +322,14 @@ static NTSTATUS tcp_conns_enumerate_all( UINT filter, struct nsi_tcp_conn_key *k *count = reply->count; else if (ret == STATUS_BUFFER_TOO_SMALL) { - *count = reply->count; - if (want_data) + if (!want_data) + { + /* If we were given buffers, the outgoing count must never be + greater than the incoming one. If we weren't, the count + should be set to the actual count. */ + *count = reply->count; + } + else { free( connections ); return STATUS_BUFFER_OVERFLOW; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/6548
From: Tim Clem <tclem(a)codeweavers.com> Fixes heap corruption downstream in NsiEnumerateObjectsAllParametersEx. Fixes a regression from a3f737f6143. --- dlls/nsiproxy.sys/udp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dlls/nsiproxy.sys/udp.c b/dlls/nsiproxy.sys/udp.c index 1d790484d8f..13d2e631b08 100644 --- a/dlls/nsiproxy.sys/udp.c +++ b/dlls/nsiproxy.sys/udp.c @@ -231,8 +231,14 @@ static NTSTATUS udp_endpoint_enumerate_all( void *key_data, UINT key_size, void *count = reply->count; else if (ret == STATUS_BUFFER_TOO_SMALL) { - *count = reply->count; - if (want_data) + if (!want_data) + { + /* If we were given buffers, the outgoing count must never be + greater than the incoming one. If we weren't, the count + should be set to the actual count. */ + *count = reply->count; + } + else { free( endpoints ); return STATUS_BUFFER_OVERFLOW; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/6548
Hi, It looks like your patch introduced the new failures shown below. Please investigate and fix them before resubmitting your patch. If they are not new, fixing them anyway would help a lot. Otherwise please ask for the known failures list to be updated. The full results can be found at: https://testbot.winehq.org/JobDetails.pl?Key=148590 Your paranoid android. === debian11 (build log) === ../wine/dlls/nsiproxy.sys/udp.c:246:13: error: expected ‘}’ before ‘else’ ../wine/dlls/nsiproxy.sys/udp.c:248:5: error: expected ‘while’ before ‘}’ token Task: The win32 Wine build failed === debian11b (build log) === ../wine/dlls/nsiproxy.sys/udp.c:246:13: error: expected ‘}’ before ‘else’ ../wine/dlls/nsiproxy.sys/udp.c:248:5: error: expected ‘while’ before ‘}’ token Task: The wow64 Wine build failed
participants (3)
-
Marvin -
Tim Clem -
Tim Clem (@tclem)