[PATCH v2 0/1] MR10395: crypt32: Don't access CERT_CHAIN_ENGINE_CONFIG::dwExclusiveFlags without checking size.
Found by ASan. Example in test `crypt32:chain`, `testCreateCertChainEngine`. Pointer to a `CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT` is passed to `CertCreateCertificateChainEngine`. Accessing `dwExclusiveFlags` unconditionally is out-of-bound. -- v2: crypt32: Don't access CERT_CHAIN_ENGINE_CONFIG::dwExclusiveFlags without checking size. https://gitlab.winehq.org/wine/wine/-/merge_requests/10395
From: Yuxuan Shui <yshui@codeweavers.com> Found by ASan. --- dlls/crypt32/chain.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 6e0e55b9e5a..cb9d0c7acb3 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -236,17 +236,22 @@ BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig, TRACE("dwUrlRetrievalTimeout %lu\n", pConfig->dwUrlRetrievalTimeout); TRACE("MaximumCachedCertificates %lu\n", pConfig->MaximumCachedCertificates); TRACE("CycleDetectionModulus %lu\n", pConfig->CycleDetectionModulus); - TRACE("hExclusiveRoot %p\n", pConfig->hExclusiveRoot); - TRACE("hExclusiveTrustedPeople %p\n", pConfig->hExclusiveTrustedPeople); - TRACE("dwExclusiveFlags %lx\n", pConfig->dwExclusiveFlags); - if (pConfig->dwExclusiveFlags) FIXME("dwExclusiveFlags %lx not supported\n", pConfig->dwExclusiveFlags); - if (pConfig->cbSize != sizeof(CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT) && pConfig->cbSize != sizeof(CERT_CHAIN_ENGINE_CONFIG)) { SetLastError(E_INVALIDARG); return FALSE; } + + if (pConfig->cbSize == sizeof(CERT_CHAIN_ENGINE_CONFIG)) + { + TRACE("hExclusiveRoot %p\n", pConfig->hExclusiveRoot); + TRACE("hExclusiveTrustedPeople %p\n", pConfig->hExclusiveTrustedPeople); + TRACE("dwExclusiveFlags %lx\n", pConfig->dwExclusiveFlags); + if (pConfig->dwExclusiveFlags) + FIXME("dwExclusiveFlags %lx not supported\n", pConfig->dwExclusiveFlags); + } + ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot); if (!ret) { -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/10395
update: moved the traces. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/10395#note_133182
This merge request was approved by Hans Leidekker. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/10395
participants (3)
-
Hans Leidekker (@hans) -
Yuxuan Shui
-
Yuxuan Shui (@yshui)