From a525e095d3ac8f84d494e963f09c8096060ce1e3 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Fri, 21 Oct 2016 21:46:47 -0700
Subject: [PATCH] sys: check Response->IoStatus.Information for Read, Write,
 QueryDirectory

---
 src/sys/dirctl.c   | 4 ++++
 src/sys/fileinfo.c | 2 +-
 src/sys/read.c     | 4 ++++
 src/sys/write.c    | 4 ++++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/sys/dirctl.c b/src/sys/dirctl.c
index 53f570c2..616456d4 100644
--- a/src/sys/dirctl.c
+++ b/src/sys/dirctl.c
@@ -855,6 +855,10 @@ NTSTATUS FspFsvolDirectoryControlComplete(
     }
 
     FSP_FSCTL_TRANSACT_REQ *Request = FspIrpRequest(Irp);
+
+    if (Response->IoStatus.Information > Request->Req.QueryDirectory.Length)
+        FSP_RETURN(Result = STATUS_INTERNAL_ERROR);
+
     PFILE_OBJECT FileObject = IrpSp->FileObject;
     FSP_FILE_NODE *FileNode = FileObject->FsContext;
     FSP_FILE_DESC *FileDesc = FileObject->FsContext2;
diff --git a/src/sys/fileinfo.c b/src/sys/fileinfo.c
index b9309eea..42f68791 100644
--- a/src/sys/fileinfo.c
+++ b/src/sys/fileinfo.c
@@ -546,7 +546,7 @@ static NTSTATUS FspFsvolQueryStreamInformationSuccess(
             (PUINT8)Response + Response->Size)
         {
             Irp->IoStatus.Information = 0;
-            return STATUS_INFO_LENGTH_MISMATCH; /* ???: what is the best code to return here? */
+            return STATUS_INTERNAL_ERROR;
         }
 
         FspIopRequestContext(Request, RequestInfoChangeNumber) = (PVOID)
diff --git a/src/sys/read.c b/src/sys/read.c
index 1fd42ce1..405dbbce 100644
--- a/src/sys/read.c
+++ b/src/sys/read.c
@@ -347,6 +347,10 @@ NTSTATUS FspFsvolReadComplete(
     }
 
     FSP_FSCTL_TRANSACT_REQ *Request = FspIrpRequest(Irp);
+
+    if (Response->IoStatus.Information > Request->Req.Read.Length)
+        FSP_RETURN(Result = STATUS_INTERNAL_ERROR);
+
     FSP_SAFE_MDL *SafeMdl = FspIopRequestContext(Request, RequestSafeMdl);
     PFILE_OBJECT FileObject = IrpSp->FileObject;
     LARGE_INTEGER ReadOffset = IrpSp->Parameters.Read.ByteOffset;
diff --git a/src/sys/write.c b/src/sys/write.c
index cda6f68a..7f7f851a 100644
--- a/src/sys/write.c
+++ b/src/sys/write.c
@@ -405,6 +405,10 @@ NTSTATUS FspFsvolWriteComplete(
     }
 
     FSP_FSCTL_TRANSACT_REQ *Request = FspIrpRequest(Irp);
+
+    if (Response->IoStatus.Information > Request->Req.Write.Length)
+        FSP_RETURN(Result = STATUS_INTERNAL_ERROR);
+
     PFILE_OBJECT FileObject = IrpSp->FileObject;
     FSP_FILE_NODE *FileNode = FileObject->FsContext;
     LARGE_INTEGER WriteOffset = IrpSp->Parameters.Write.ByteOffset;