From 2d98e2a42d5b7fb5780be03fbe31b946e84b07e8 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Tue, 24 Nov 2015 16:54:10 -0800
Subject: [PATCH] sys: WIP

---
 inc/winfsp/fsctl.h | 26 ++++++++++++++++++++++++++
 src/sys/fsctl.c    | 18 ++++++++++++++----
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/inc/winfsp/fsctl.h b/inc/winfsp/fsctl.h
index c8c8c0c7..d6d7b0a7 100644
--- a/inc/winfsp/fsctl.h
+++ b/inc/winfsp/fsctl.h
@@ -32,4 +32,30 @@ extern const __declspec(selectany) GUID FspFsvrtDeviceClassGuid =
 #define FSP_FSCTL_CREATE_BUFFER_SIZE    64
 #define FSP_FSCTL_TRANSACT_BUFFER_SIZE  4096
 
+/* marshalling */
+#pragma warning(push)
+#pragma warning(disable:4200)           /* zero-sized array in struct/union */
+typedef struct
+{
+    ULONG Size;
+    UINT_PTR Hint;
+    UINT8 Kind;
+    union
+    {
+        UINT8 Placeholder; // !!!: REMOVE
+    } Req;
+} FSP_TRANSACT_REQ;
+typedef struct
+{
+    ULONG Size;
+    UINT_PTR Hint;
+    IO_STATUS_BLOCK IoStatus;
+    UINT8 Kind;
+    union
+    {
+        UINT8 Placeholder; // !!!: REMOVE
+    } Req;
+} FSP_TRANSACT_RSP;
+#pragma warning(pop)
+
 #endif
diff --git a/src/sys/fsctl.c b/src/sys/fsctl.c
index 50719f16..e0ac70bc 100644
--- a/src/sys/fsctl.c
+++ b/src/sys/fsctl.c
@@ -100,10 +100,11 @@ static NTSTATUS FspFsvrtDeleteVolume(
     PDEVICE_OBJECT DeviceObject, PIRP Irp, PIO_STACK_LOCATION IrpSp)
 {
     NTSTATUS Result;
+    FSP_FSVRT_DEVICE_EXTENSION *FsvrtDeviceExtension = FspFsvrtDeviceExtension(DeviceObject);
 
+    /* access check */
     Result = FspSecuritySubjectContextAccessCheck(
-        FspFsvrtDeviceExtension(DeviceObject)->SecurityDescriptorBuf,
-        FILE_WRITE_DATA, Irp->RequestorMode);
+        FsvrtDeviceExtension->SecurityDescriptorBuf, FILE_WRITE_DATA, Irp->RequestorMode);
     if (!NT_SUCCESS(Result))
         return Result;
 
@@ -113,12 +114,21 @@ static NTSTATUS FspFsvrtDeleteVolume(
 static NTSTATUS FspFsvrtTransact(
     PDEVICE_OBJECT DeviceObject, PIRP Irp, PIO_STACK_LOCATION IrpSp)
 {
+    /* check parameters */
+    ULONG InputBufferLength = IrpSp->Parameters.FileSystemControl.InputBufferLength;
+    ULONG OutputBufferLength = IrpSp->Parameters.FileSystemControl.OutputBufferLength;
+    PVOID SystemBuffer = Irp->AssociatedIrp.SystemBuffer;
+    if (sizeof(FSP_TRANSACT_RSP) > InputBufferLength || 0 == SystemBuffer)
+        return STATUS_INVALID_PARAMETER;
+    if (FSP_FSCTL_TRANSACT_BUFFER_SIZE > OutputBufferLength)
+        return STATUS_BUFFER_TOO_SMALL;
+
     NTSTATUS Result;
+    FSP_FSVRT_DEVICE_EXTENSION *FsvrtDeviceExtension = FspFsvrtDeviceExtension(DeviceObject);
 
     /* access check */
     Result = FspSecuritySubjectContextAccessCheck(
-        FspFsvrtDeviceExtension(DeviceObject)->SecurityDescriptorBuf,
-        FILE_WRITE_DATA, Irp->RequestorMode);
+        FsvrtDeviceExtension->SecurityDescriptorBuf, FILE_WRITE_DATA, Irp->RequestorMode);
     if (!NT_SUCCESS(Result))
         return Result;