Public/winfsp
1
0
Fork 0
mirror of https://github.com/winfsp/winfsp.git synced 2026-06-15 09:06:03 -05:00
Code Activity

sys: FspVolumeNotify: fix integer overflow vulnerability

Browse Source 
This vulnerability was reported by:
- Tay Kiat Loong (GitHub: @owl4444)
- uhg (GitHub: @UltimateHG)
This commit is contained in:
Bill Zissimopoulos
2026-06-13 16:41:35 +03:00
parent bdab233e92
commit bd8b54c469
3 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
inc/winfsp/fsctl.h
+2
View File
@@ -147,6 +147,8 @@ FSP_FSCTL_STATIC_ASSERT(FSP_FSCTL_VOLUME_NAME_SIZEMAX <= 260 * sizeof(WCHAR),
#define FSP_FSCTL_DEVICECONTROL_SIZEMAX (4 * 1024) /* must be < FSP_FSCTL_TRANSACT_{REQ,RSP}_SIZEMAX */ #define FSP_FSCTL_DEVICECONTROL_SIZEMAX (4 * 1024) /* must be < FSP_FSCTL_TRANSACT_{REQ,RSP}_SIZEMAX */
#define FSP_FSCTL_NOTIFY_INFO_SIZEMAX (0x7fffffffU)
/* marshalling */ /* marshalling */
#pragma warning(push) #pragma warning(push)
#pragma warning(disable:4200 4201) /* zero-sized array in struct/union; nameless struct/union */ #pragma warning(disable:4200 4201) /* zero-sized array in struct/union; nameless struct/union */
src/sys/volume.c
+3
View File
@@ -1389,6 +1389,9 @@ NTSTATUS FspVolumeNotify(
if (0 == InputBufferLength) if (0 == InputBufferLength)
return FspVolumeNotifyLock(FsvolDeviceObject); return FspVolumeNotifyLock(FsvolDeviceObject);
if (FSP_FSCTL_NOTIFY_INFO_SIZEMAX < InputBufferLength)
return STATUS_INVALID_PARAMETER;
if (!FspDeviceReference(FsvolDeviceObject)) if (!FspDeviceReference(FsvolDeviceObject))
return STATUS_CANCELLED; return STATUS_CANCELLED;
tst/winfsp-tests/notify-test.c
+32
View File
@@ -27,6 +27,37 @@
#include "winfsp-tests.h" #include "winfsp-tests.h"
static
void notify_invalid_dotest(ULONG Flags)
{
void *memfs = memfs_start(Flags);
FSP_FILE_SYSTEM *FileSystem = MemfsFileSystem(memfs);
NTSTATUS Result;
Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, 1);
ASSERT(STATUS_ACCESS_VIOLATION == Result);
Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, FSP_FSCTL_NOTIFY_INFO_SIZEMAX);
ASSERT(STATUS_ACCESS_VIOLATION == Result || STATUS_INSUFFICIENT_RESOURCES == Result);
Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, FSP_FSCTL_NOTIFY_INFO_SIZEMAX + 1);
ASSERT(STATUS_INVALID_PARAMETER == Result);
Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, 0xffffffffU);
ASSERT(STATUS_INVALID_PARAMETER == Result);
memfs_stop(memfs);
}
static
void notify_invalid_test(void)
{
if (WinFspDiskTests)
notify_invalid_dotest(MemfsDisk);
if (WinFspNetTests)
notify_invalid_dotest(MemfsNet);
}
static static
void notify_abandon_dotest(ULONG Flags) void notify_abandon_dotest(ULONG Flags)
{ {
@@ -479,6 +510,7 @@ void notify_tests(void)
if (OptExternal || OptNotify) if (OptExternal || OptNotify)
return; return;
TEST(notify_invalid_test);
TEST(notify_abandon_test); TEST(notify_abandon_test);
TEST(notify_abandon_rename_test); TEST(notify_abandon_rename_test);
/* OBSOLETE: it is now possible to have multiple outstanding NotifyBegin() calls. */ /* OBSOLETE: it is now possible to have multiple outstanding NotifyBegin() calls. */