diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2018-09-20 09:50:45 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2018-09-21 10:39:08 +0200 |
commit | 2455c03e0d368914254b47a69a6ff607bfdac164 (patch) | |
tree | 3dca4cfadfbb2beb9262b46de2c46b4a3ff840fa | |
parent | f30f9339c9a0b9bbcc6f5ad38804af39db1f479e (diff) | |
download | VeraCrypt-2455c03e0d368914254b47a69a6ff607bfdac164.tar.gz VeraCrypt-2455c03e0d368914254b47a69a6ff607bfdac164.zip |
Windows driver: add extra check for data read in TC_IOCTL_OPEN_TEST handling
-rw-r--r-- | src/Driver/Ntdriver.c | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index cea48b27..37f07099 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -289,6 +289,23 @@ BOOL IsAllZeroes (unsigned char* pbData, DWORD dwDataLen) return TRUE; } +static BOOL StringNoCaseCompare (const wchar_t* str1, const wchar_t* str2, size_t len) +{ + if (str1 && str2) + { + while (len) + { + if (RtlUpcaseUnicodeChar (*str1) != RtlUpcaseUnicodeChar (*str2)) + return FALSE; + str1++; + str2++; + len--; + } + } + + return TRUE; +} + BOOL ValidateIOBufferSize (PIRP irp, size_t requiredBufferSize, ValidateIOBufferSizeType type) { PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation (irp); @@ -1745,10 +1762,23 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex IO_STATUS_BLOCK IoStatus; LARGE_INTEGER offset; ACCESS_MASK access = FILE_READ_ATTRIBUTES; + size_t devicePathLen = 0; if (!ValidateIOBufferSize (Irp, sizeof (OPEN_TEST_STRUCT), ValidateInputOutput)) break; + // check that opentest->wszFileName is a device path that starts with "\\Device\\Harddisk" + if ( !NT_SUCCESS (RtlUnalignedStringCchLengthW (opentest->wszFileName, TC_MAX_PATH, &devicePathLen)) + || (devicePathLen < 16) // 16 is the length of "\\Device\\Harddisk" which is the minimum + || (!StringNoCaseCompare (opentest->wszFileName, L"\\Device\\Harddisk", 16)) + ) + { + Irp->IoStatus.Status = STATUS_INVALID_PARAMETER; + Irp->IoStatus.Information = 0; + break; + } + + EnsureNullTerminatedString (opentest->wszFileName, sizeof (opentest->wszFileName)); RtlInitUnicodeString (&FullFileName, opentest->wszFileName); @@ -1866,7 +1896,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex &offset, NULL); - if (NT_SUCCESS (ntStatus)) + if (NT_SUCCESS (ntStatus) && (IoStatus.Information >= TC_VOLUME_HEADER_EFFECTIVE_SIZE)) { /* compute the ID of this volume: SHA-256 of the effective header */ sha256 (opentest->volumeIDs[volumeType], readBuffer, TC_VOLUME_HEADER_EFFECTIVE_SIZE); |