server: Add the name length to the object_attributes structure so that other variable length data can be present after object_attributes.
diff --git a/dlls/ntdll/sync.c b/dlls/ntdll/sync.c
index 191cd07..47c8461 100644
--- a/dlls/ntdll/sync.c
+++ b/dlls/ntdll/sync.c
@@ -154,6 +154,7 @@
objattr.rootdir = attr ? attr->RootDirectory : 0;
objattr.sd_len = 0;
+ objattr.name_len = len;
if (attr)
{
ret = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len );
@@ -262,6 +263,7 @@
objattr.rootdir = attr ? attr->RootDirectory : 0;
objattr.sd_len = 0;
+ objattr.name_len = len;
if (attr)
{
ret = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len );
@@ -425,6 +427,7 @@
objattr.rootdir = attr ? attr->RootDirectory : 0;
objattr.sd_len = 0;
+ objattr.name_len = len;
if (attr)
{
status = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len );
diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
index 2c08a16..684fa5d 100644
--- a/dlls/ntdll/virtual.c
+++ b/dlls/ntdll/virtual.c
@@ -1864,6 +1864,7 @@
objattr.rootdir = attr ? attr->RootDirectory : 0;
objattr.sd_len = 0;
+ objattr.name_len = len;
if (attr)
{
ret = NTDLL_create_struct_sd( attr->SecurityDescriptor, &sd, &objattr.sd_len );
diff --git a/server/event.c b/server/event.c
index f866211..99d0f4b 100644
--- a/server/event.c
+++ b/server/event.c
@@ -180,10 +180,7 @@
return;
sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL;
-
- /* get unicode string */
- name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR);
- name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
+ objattr_get_name( objattr, &name );
if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 )))
return;
diff --git a/server/mapping.c b/server/mapping.c
index 8f1bf5c..bd21a50 100644
--- a/server/mapping.c
+++ b/server/mapping.c
@@ -408,10 +408,7 @@
return;
sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL;
-
- /* get unicode string */
- name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR);
- name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
+ objattr_get_name( objattr, &name );
if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 )))
return;
diff --git a/server/mutex.c b/server/mutex.c
index 7064c6f..979f21f 100644
--- a/server/mutex.c
+++ b/server/mutex.c
@@ -205,10 +205,7 @@
return;
sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL;
-
- /* get unicode string */
- name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR);
- name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
+ objattr_get_name( objattr, &name );
if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 )))
return;
diff --git a/server/protocol.def b/server/protocol.def
index d336af6..1ecc886 100644
--- a/server/protocol.def
+++ b/server/protocol.def
@@ -237,6 +237,7 @@
{
obj_handle_t rootdir; /* root directory */
data_size_t sd_len; /* length of security_descriptor data. may be 0 */
+ data_size_t name_len; /* length of the name string. may be 0 */
/* VARARG(sd,security_descriptor); */
/* VARARG(name,unicode_str); */
};
diff --git a/server/security.h b/server/security.h
index 50fba52..ebdf95f 100644
--- a/server/security.h
+++ b/server/security.h
@@ -131,3 +131,8 @@
/* determines whether an object_attributes struct is valid in a buffer
* and calls set_error appropriately */
extern int objattr_is_valid( const struct object_attributes *objattr, data_size_t size );
+static inline void objattr_get_name( const struct object_attributes *objattr, struct unicode_str *name )
+{
+ name->len = ((objattr->name_len) / sizeof(WCHAR)) * sizeof(WCHAR);
+ name->str = (const WCHAR *)objattr + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
+}
diff --git a/server/semaphore.c b/server/semaphore.c
index a8318cd..09445e1 100644
--- a/server/semaphore.c
+++ b/server/semaphore.c
@@ -180,10 +180,8 @@
return;
sd = objattr->sd_len ? (const struct security_descriptor *)(objattr + 1) : NULL;
+ objattr_get_name( objattr, &name );
- /* get unicode string */
- name.len = ((get_req_data_size() - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR);
- name.str = (const WCHAR *)get_req_data() + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
if (objattr->rootdir && !(root = get_directory_obj( current->process, objattr->rootdir, 0 )))
return;
diff --git a/server/token.c b/server/token.c
index 665ed48..93696d9 100644
--- a/server/token.c
+++ b/server/token.c
@@ -309,7 +309,8 @@
* and calls set_error appropriately */
int objattr_is_valid( const struct object_attributes *objattr, data_size_t size )
{
- if ((size < sizeof(*objattr)) || (size - sizeof(*objattr) < objattr->sd_len))
+ if ((size < sizeof(*objattr)) || (size - sizeof(*objattr) < objattr->sd_len) ||
+ (size - sizeof(*objattr) - objattr->sd_len < objattr->name_len))
{
set_error( STATUS_ACCESS_VIOLATION );
return FALSE;
diff --git a/server/trace.c b/server/trace.c
index 30d6efd..0f0e17d 100644
--- a/server/trace.c
+++ b/server/trace.c
@@ -790,14 +790,16 @@
{
const WCHAR *str;
fprintf( stderr, "rootdir=%p,sd=", objattr->rootdir );
- if (objattr->sd_len > size - sizeof(*objattr)) return;
+ if (objattr->sd_len > size - sizeof(*objattr) ||
+ objattr->name_len > size - sizeof(*objattr) - objattr->sd_len)
+ return;
dump_inline_security_descriptor( (const struct security_descriptor *)(objattr + 1), objattr->sd_len );
- str = (const WCHAR *)cur_data + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
+ str = (const WCHAR *)objattr + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
fprintf( stderr, ",name=L\"" );
- dump_strW( str, (size - sizeof(*objattr) - objattr->sd_len) / sizeof(WCHAR),
- stderr, "\"\"" );
+ dump_strW( str, objattr->name_len / sizeof(WCHAR), stderr, "\"\"" );
fputc( '\"', stderr );
- remove_data( size );
+ remove_data( ((sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR)) * sizeof(WCHAR) +
+ objattr->name_len );
}
fputc( '}', stderr );
}
