From a318100d246fda7c205ca07be56c68e9d6025254 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Mon, 30 Nov 2015 15:22:35 -0800
Subject: [PATCH] sys: FspValidRelativeSecurityDescriptor

---
 src/sys/device.c |  1 -
 src/sys/driver.h | 25 ++++++++++++++-----------
 src/sys/fsctl.c  |  2 +-
 src/sys/misc.c   | 25 +++++++++++++++++++++++++
 4 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/src/sys/device.c b/src/sys/device.c
index 5fa64741..67cf6f94 100644
--- a/src/sys/device.c
+++ b/src/sys/device.c
@@ -147,7 +147,6 @@ VOID FspDeviceDelete(PDEVICE_OBJECT DeviceObject)
     }
 
     ExDeleteResourceLite(&DeviceExtension->Resource);
-    RtlZeroMemory(DeviceExtension, DeviceObject->Size - sizeof(DEVICE_OBJECT));
 
     IoDeleteDevice(DeviceObject);
 }
diff --git a/src/sys/driver.h b/src/sys/driver.h
index 795bdb42..f6666183 100644
--- a/src/sys/driver.h
+++ b/src/sys/driver.h
@@ -164,12 +164,12 @@
 #pragma warning(disable:4200)           /* zero-sized array in struct/union */
 
 /* driver major functions */
-_Function_class_(DRIVER_DISPATCH)
-_IRQL_requires_max_(APC_LEVEL)
-    /* see https://msdn.microsoft.com/en-us/library/windows/hardware/ff540124(v=vs.85).aspx */
-_IRQL_requires_same_
-typedef NTSTATUS FSP_DRIVER_DISPATCH(
-    _In_ struct _DEVICE_OBJECT *DeviceObject, _Inout_ struct _IRP *Irp);
+_Function_class_(DRIVER_DISPATCH)
+_IRQL_requires_max_(APC_LEVEL)
+    /* see https://msdn.microsoft.com/en-us/library/windows/hardware/ff540124(v=vs.85).aspx */
+_IRQL_requires_same_
+typedef NTSTATUS FSP_DRIVER_DISPATCH(
+    _In_ struct _DEVICE_OBJECT *DeviceObject, _Inout_ struct _IRP *Irp);
 _Dispatch_type_(IRP_MJ_CLEANUP)         FSP_DRIVER_DISPATCH FspCleanup;
 _Dispatch_type_(IRP_MJ_CLOSE)           FSP_DRIVER_DISPATCH FspClose;
 _Dispatch_type_(IRP_MJ_CREATE)          FSP_DRIVER_DISPATCH FspCreate;
@@ -191,10 +191,10 @@ _Dispatch_type_(IRP_MJ_SHUTDOWN)        FSP_DRIVER_DISPATCH FspShutdown;
 _Dispatch_type_(IRP_MJ_WRITE)           FSP_DRIVER_DISPATCH FspWrite;
 
 /* I/O process functions */
-_IRQL_requires_max_(APC_LEVEL)
-_IRQL_requires_same_
-typedef VOID FSP_IOCMPL_DISPATCH(
-    _Inout_ PIRP Irp, _In_ const FSP_FSCTL_TRANSACT_RSP *Response);
+_IRQL_requires_max_(APC_LEVEL)
+_IRQL_requires_same_
+typedef VOID FSP_IOCMPL_DISPATCH(
+    _Inout_ PIRP Irp, _In_ const FSP_FSCTL_TRANSACT_RSP *Response);
 FSP_IOCMPL_DISPATCH FspCleanupComplete;
 FSP_IOCMPL_DISPATCH FspCloseComplete;
 FSP_IOCMPL_DISPATCH FspCreateComplete;
@@ -322,6 +322,9 @@ VOID FspIopDispatchComplete(PIRP Irp, const FSP_FSCTL_TRANSACT_RSP *Response);
 
 /* misc */
 NTSTATUS FspCreateGuid(GUID *Guid);
+BOOLEAN FspValidRelativeSecurityDescriptor(
+    PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG SecurityDescriptorLength,
+    SECURITY_INFORMATION RequiredInformation);
 NTSTATUS FspSecuritySubjectContextAccessCheck(
     PSECURITY_DESCRIPTOR SecurityDescriptor, ACCESS_MASK DesiredAccess, KPROCESSOR_MODE AccessMode);
 
@@ -338,6 +341,6 @@ const char *IoctlCodeSym(ULONG ControlCode);
 extern PDRIVER_OBJECT FspDriverObject;
 extern PDEVICE_OBJECT FspFsctlDiskDeviceObject;
 extern PDEVICE_OBJECT FspFsctlNetDeviceObject;
-extern FSP_IOCMPL_DISPATCH *FspIopCompleteFunction[];
+extern FSP_IOCMPL_DISPATCH *FspIopCompleteFunction[];
 
 #endif
diff --git a/src/sys/fsctl.c b/src/sys/fsctl.c
index 8e0ab932..881366a2 100644
--- a/src/sys/fsctl.c
+++ b/src/sys/fsctl.c
@@ -110,7 +110,7 @@ static NTSTATUS FspFsctlCreateVolume(
     PSECURITY_DESCRIPTOR SecurityDescriptor = (PVOID)(Params + 1);
     DWORD SecurityDescriptorSize = InputBufferLength - sizeof *Params;
     if (sizeof *Params >= InputBufferLength || 0 == SystemBuffer ||
-        !RtlValidRelativeSecurityDescriptor(SecurityDescriptor, SecurityDescriptorSize,
+        !FspValidRelativeSecurityDescriptor(SecurityDescriptor, SecurityDescriptorSize,
             OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
         return STATUS_INVALID_PARAMETER;
     if (FSP_FSCTL_CREATE_BUFFER_SIZE > OutputBufferLength)
diff --git a/src/sys/misc.c b/src/sys/misc.c
index 6749a5d5..1242b4c7 100644
--- a/src/sys/misc.c
+++ b/src/sys/misc.c
@@ -7,11 +7,15 @@
 #include <sys/driver.h>
 
 NTSTATUS FspCreateGuid(GUID *Guid);
+BOOLEAN FspValidRelativeSecurityDescriptor(
+    PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG SecurityDescriptorLength,
+    SECURITY_INFORMATION RequiredInformation);
 NTSTATUS FspSecuritySubjectContextAccessCheck(
     PSECURITY_DESCRIPTOR SecurityDescriptor, ACCESS_MASK DesiredAccess, KPROCESSOR_MODE AccessMode);
 
 #ifdef ALLOC_PRAGMA
 #pragma alloc_text(PAGE, FspCreateGuid)
+#pragma alloc_text(PAGE, FspValidRelativeSecurityDescriptor)
 #pragma alloc_text(PAGE, FspSecuritySubjectContextAccessCheck)
 #endif
 
@@ -30,6 +34,27 @@ NTSTATUS FspCreateGuid(GUID *Guid)
     return Result;
 }
 
+BOOLEAN FspValidRelativeSecurityDescriptor(
+    PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG SecurityDescriptorLength,
+    SECURITY_INFORMATION RequiredInformation)
+{
+    PAGED_CODE();
+
+    BOOLEAN Result;
+
+    try
+    {
+        Result = RtlValidRelativeSecurityDescriptor(SecurityDescriptor, SecurityDescriptorLength,
+            RequiredInformation);
+    }
+    except(EXCEPTION_EXECUTE_HANDLER)
+    {
+        Result = FALSE;
+    }
+
+    return Result;
+}
+
 NTSTATUS FspSecuritySubjectContextAccessCheck(
     PSECURITY_DESCRIPTOR SecurityDescriptor, ACCESS_MASK DesiredAccess, KPROCESSOR_MODE AccessMode)
 {