server: Validate the output size of IOCTL_AFD_BIND against the input address size rather than sizeof(struct sockaddr).

Signed-off-by: Zebediah Figura <zfigura@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Zebediah Figura 2021-07-23 11:39:07 -05:00 committed by Alexandre Julliard
parent 1409b421d2
commit c06e5693cb
2 changed files with 3 additions and 3 deletions

View File

@ -1610,7 +1610,7 @@ static void test_bind(void)
memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
ret = NtDeviceIoControlFile((HANDLE)s, event, NULL, NULL, &io, IOCTL_AFD_BIND,
params, params6_size, &addr6, sizeof(addr6) - 1);
todo_wine ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
ret = NtDeviceIoControlFile((HANDLE)s, event, NULL, NULL, &io, IOCTL_AFD_BIND,
@ -1620,7 +1620,7 @@ static void test_bind(void)
memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
ret = NtDeviceIoControlFile((HANDLE)s, event, NULL, NULL, &io, IOCTL_AFD_BIND,
params, params6_size, &addr6, sizeof(struct sockaddr_in6_old));
todo_wine ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
ok(ret == STATUS_INVALID_PARAMETER, "got %#x\n", ret);
memcpy(&params->addr, &bind_addr6, sizeof(bind_addr6));
memset(&io, 0xcc, sizeof(io));

View File

@ -2492,7 +2492,7 @@ static int sock_ioctl( struct fd *fd, ioctl_code_t code, struct async *async )
}
in_size = get_req_data_size() - get_reply_max_size();
if (in_size < offsetof(struct afd_bind_params, addr.sa_data)
|| get_reply_max_size() < sizeof(struct WS_sockaddr))
|| get_reply_max_size() < in_size - sizeof(int))
{
set_error( STATUS_INVALID_PARAMETER );
return 0;