Windows: AFSParseMountPointTarget buffer overrun
[openafs.git] / src / WINNT / afsrdr / kernel / lib / AFSFSControl.cpp
index 05cda83..29dc20f 100644 (file)
@@ -115,7 +115,8 @@ AFSParseMountPointTarget( IN  UNICODE_STRING *Target,
 
     // If a colon is not found, it means there is no cell
 
-    if ( Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
+    if ( Cell->Length < Target->Length - sizeof( WCHAR) &&
+         Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
     {
 
         Cell->MaximumLength = Cell->Length;
@@ -227,6 +228,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_LOCK_VOLUME request\n");
 
+                ntStatus = STATUS_NOT_IMPLEMENTED;
+
                 break;
             }
 
@@ -236,6 +239,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_UNLOCK_VOLUME request\n");
 
+                ntStatus = STATUS_NOT_IMPLEMENTED;
+
                 break;
             }
 
@@ -245,6 +250,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_DISMOUNT_VOLUME request\n");
 
+                ntStatus = STATUS_NOT_IMPLEMENTED;
+
                 break;
             }
 
@@ -254,6 +261,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_MARK_VOLUME_DIRTY request\n");
 
+                ntStatus = STATUS_NOT_IMPLEMENTED;
+
                 break;
             }
 
@@ -263,6 +272,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_IS_VOLUME_DIRTY request\n");
 
+                ntStatus = STATUS_NOT_IMPLEMENTED;
+
                 break;
             }
 
@@ -272,6 +283,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_IS_VOLUME_MOUNTED request\n");
 
+                ntStatus = STATUS_NOT_IMPLEMENTED;
+
                 break;
             }
 
@@ -281,6 +294,22 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing FSCTL_IS_PATHNAME_VALID request\n");
 
+                ntStatus = STATUS_SUCCESS;
+
+                break;
+            }
+
+#ifndef FSCTL_CSC_INTERNAL
+#define FSCTL_CSC_INTERNAL                  CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 107, METHOD_NEITHER, FILE_ANY_ACCESS)
+#endif
+            case FSCTL_CSC_INTERNAL:
+            {
+                AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                              AFS_TRACE_LEVEL_VERBOSE_2,
+                              "AFSProcessUserFsRequest Processing FSCTL_CSC_INTERNAL request\n");
+
+                ntStatus = STATUS_INVALID_DEVICE_REQUEST;
+
                 break;
             }
 
@@ -293,19 +322,10 @@ AFSProcessUserFsRequest( IN PIRP Irp)
 
                 AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                               AFS_TRACE_LEVEL_VERBOSE_2,
-                              "AFSProcessUserFsRequest Processing FSCTL_GET_REPARSE_POINT request\n");
-
-                if( ulOutputBufferLen < FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer))
-                {
-
-                    ntStatus = STATUS_BUFFER_TOO_SMALL;
-
-                    Irp->IoStatus.Information = FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer);
-
-                    break;
-                }
-
-                ulRemainingLen -= FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer);
+                              "AFSProcessUserFsRequest Processing FSCTL_GET_REPARSE_POINT request %wZ Type 0x%x Attrib 0x%x\n",
+                              &pCcb->DirectoryCB->NameInformation.FileName,
+                              pCcb->DirectoryCB->ObjectInformation->FileType,
+                              pCcb->DirectoryCB->ObjectInformation->FileAttributes);
 
                 //
                 // Check if we have the reparse entry set on the entry
@@ -319,6 +339,18 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                     break;
                 }
 
+                if( ulOutputBufferLen < FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer))
+                {
+
+                    ntStatus = STATUS_BUFFER_TOO_SMALL;
+
+                    Irp->IoStatus.Information = FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer);
+
+                    break;
+                }
+
+                ulRemainingLen -= FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer);
+
                 //
                 // Populate the data in the reparse buffer
                 //
@@ -348,7 +380,7 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                                   pCcb->DirectoryCB->ObjectInformation->FileId.Vnode,
                                   pCcb->DirectoryCB->ObjectInformation->FileId.Unique);
 
-                    ntStatus = AFSVerifyEntry( &pFcb->AuthGroup,
+                    ntStatus = AFSVerifyEntry( &pCcb->AuthGroup,
                                                pCcb->DirectoryCB);
 
                     if( !NT_SUCCESS( ntStatus))
@@ -381,7 +413,7 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                         if( pCcb->DirectoryCB->NameInformation.TargetName.Length == 0)
                         {
 
-                            ntStatus = STATUS_ACCESS_DENIED;
+                            ntStatus = STATUS_REPARSE_POINT_NOT_RESOLVED;
 
                             break;
                         }
@@ -420,7 +452,7 @@ AFSProcessUserFsRequest( IN PIRP Irp)
 
                         if( pCcb->DirectoryCB->NameInformation.TargetName.Length == 0)
                         {
-                            ntStatus = STATUS_ACCESS_DENIED;
+                            ntStatus = STATUS_REPARSE_POINT_NOT_RESOLVED;
 
                             break;
                         }
@@ -474,7 +506,7 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                         if( pCcb->DirectoryCB->NameInformation.TargetName.Length == 0)
                         {
 
-                            ntStatus = STATUS_ACCESS_DENIED;
+                            ntStatus = STATUS_REPARSE_POINT_NOT_RESOLVED;
 
                             break;
                         }
@@ -538,15 +570,10 @@ AFSProcessUserFsRequest( IN PIRP Irp)
 
                 AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                               AFS_TRACE_LEVEL_VERBOSE_2,
-                              "AFSProcessUserFsRequest Processing FSCTL_SET_REPARSE_POINT request\n");
-
-                if( ulInputBufferLen < FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer))
-                {
-
-                    ntStatus = STATUS_INVALID_PARAMETER;
-
-                    break;
-                }
+                              "AFSProcessUserFsRequest Processing FSCTL_SET_REPARSE_POINT request %wZ Type 0x%x Attrib 0x%x\n",
+                              &pCcb->DirectoryCB->NameInformation.FileName,
+                              pCcb->DirectoryCB->ObjectInformation->FileType,
+                              pCcb->DirectoryCB->ObjectInformation->FileAttributes);
 
                 //
                 // Check if we have the reparse entry set on the entry
@@ -560,6 +587,14 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                     break;
                 }
 
+                if( ulInputBufferLen < FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer))
+                {
+
+                    ntStatus = STATUS_IO_REPARSE_DATA_INVALID;
+
+                    break;
+                }
+
                 if( pReparseBuffer->ReparseTag != IO_REPARSE_TAG_OPENAFS_DFS)
                 {
 
@@ -582,6 +617,8 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                 // For now deny access on this call
                 //
 
+                ntStatus = STATUS_INVALID_PARAMETER;
+
                 break;
             }
 
@@ -592,15 +629,10 @@ AFSProcessUserFsRequest( IN PIRP Irp)
 
                 AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                               AFS_TRACE_LEVEL_VERBOSE_2,
-                              "AFSProcessUserFsRequest Processing FSCTL_DELETE_REPARSE_POINT request\n");
-
-                if( ulInputBufferLen < FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer))
-                {
-
-                    ntStatus = STATUS_INVALID_PARAMETER;
-
-                    break;
-                }
+                              "AFSProcessUserFsRequest Processing FSCTL_DELETE_REPARSE_POINT request %wZ Type 0x%x Attrib 0x%x\n",
+                              &pCcb->DirectoryCB->NameInformation.FileName,
+                              pCcb->DirectoryCB->ObjectInformation->FileType,
+                              pCcb->DirectoryCB->ObjectInformation->FileAttributes);
 
                 //
                 // Check if we have the reparse entry set on the entry
@@ -614,6 +646,14 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                     break;
                 }
 
+                if( ulInputBufferLen < FIELD_OFFSET( REPARSE_GUID_DATA_BUFFER, GenericReparseBuffer.DataBuffer))
+                {
+
+                    ntStatus = STATUS_INVALID_PARAMETER;
+
+                    break;
+                }
+
                 if( pReparseBuffer->ReparseTag != IO_REPARSE_TAG_OPENAFS_DFS)
                 {
 
@@ -647,7 +687,7 @@ AFSProcessUserFsRequest( IN PIRP Irp)
                               AFS_TRACE_LEVEL_VERBOSE_2,
                               "AFSProcessUserFsRequest Processing default (%08lX) request\n", ulFsControlCode);
 
-                ntStatus = STATUS_INVALID_PARAMETER;
+                ntStatus = STATUS_INVALID_DEVICE_REQUEST;
 
                 break;
         }