From 2455c03e0d368914254b47a69a6ff607bfdac164 Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Thu, 20 Sep 2018 09:50:45 +0200
Subject: Windows driver: add extra check for data read in TC_IOCTL_OPEN_TEST
 handling

---
 src/Driver/Ntdriver.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index cea48b27..37f07099 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -289,6 +289,23 @@ BOOL IsAllZeroes (unsigned char* pbData, DWORD dwDataLen)
 	return TRUE;
 }
 
+static BOOL StringNoCaseCompare (const wchar_t* str1, const wchar_t* str2, size_t len)
+{
+	if (str1 && str2)
+	{
+		while (len)
+		{
+			if (RtlUpcaseUnicodeChar (*str1) != RtlUpcaseUnicodeChar (*str2))
+				return FALSE;
+			str1++;
+			str2++;
+			len--;
+		}
+	}
+
+	return TRUE;
+}
+
 BOOL ValidateIOBufferSize (PIRP irp, size_t requiredBufferSize, ValidateIOBufferSizeType type)
 {
 	PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation (irp);
@@ -1745,10 +1762,23 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 			IO_STATUS_BLOCK IoStatus;
 			LARGE_INTEGER offset;
 			ACCESS_MASK access = FILE_READ_ATTRIBUTES;
+			size_t devicePathLen = 0;
 
 			if (!ValidateIOBufferSize (Irp, sizeof (OPEN_TEST_STRUCT), ValidateInputOutput))
 				break;
 
+			// check that opentest->wszFileName is a device path that starts with "\\Device\\Harddisk"
+			if (	!NT_SUCCESS (RtlUnalignedStringCchLengthW (opentest->wszFileName, TC_MAX_PATH, &devicePathLen))
+				||	(devicePathLen < 16) // 16 is the length of "\\Device\\Harddisk" which is the minimum
+				||	(!StringNoCaseCompare (opentest->wszFileName, L"\\Device\\Harddisk", 16))
+				)
+			{
+				Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
+				Irp->IoStatus.Information = 0;
+				break;
+			}
+
+
 			EnsureNullTerminatedString (opentest->wszFileName, sizeof (opentest->wszFileName));
 			RtlInitUnicodeString (&FullFileName, opentest->wszFileName);
 
@@ -1866,7 +1896,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 								&offset,
 								NULL);
 
-								if (NT_SUCCESS (ntStatus))
+								if (NT_SUCCESS (ntStatus) && (IoStatus.Information >= TC_VOLUME_HEADER_EFFECTIVE_SIZE))
 								{
 									/* compute the ID of this volume: SHA-256 of the effective header */
 									sha256 (opentest->volumeIDs[volumeType], readBuffer, TC_VOLUME_HEADER_EFFECTIVE_SIZE);
-- 
cgit v1.2.3