[ros-bugs] [Bug 1101] Handling of parameters in GetTempFileNameW

ReactOS.Bugzilla at reactos.org ReactOS.Bugzilla at reactos.org
Sun Dec 11 22:29:39 CET 2005 

http://www.reactos.org/bugzilla/show_bug.cgi?id=1101


w3seek at reactos.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From w3seek at reactos.com  2005-12-11 22:29 CET -------
> Lines 1170 blindly copies the contents of parameter 'path' into parameter
> 'buffer'. By manipulating the value of 'path' to be larger than 'buffer' a
> buffer overflow can occur, which could possibly lead to modification of formatW.
> This would then lead to further format string attacks.

I did some tests and this is what happens on windows. Of course it can be a
security issue, the function requires prior checks by the application to pass
valid buffers.

> The platform SDK says this about parameter 'path': "The string cannot be longer
> than MAX_PATH-14 characters. If this parameter is NULL, the function fails."
> 
> Only the second test is performed. I would recommend adding a check for the
> length and breaking on an error.

That would "break" compatibility, we shouldn't add the check even if it made sense.

> Again, from the platform SDK, this time about 'buffer': "This buffer should be
> MAX_PATH characters to accommodate the path plus the terminating null character."
> 
> Should a check be added for this condition as well? The SDK is hazy in that it
> says 'should' and not 'must'. Perhaps a test to see if length(path) + 14 >
> len(buffer) would suffice?

there's no reliably possibility to check the size of buffer, the function trusts
the caller to provide valid buffers and data. The check cannot and shouldn't be
added.

All in all, of course you're right with your observation but we shouldn't break
compatibility because there might be an application out there that depends on
this behavior (and it might even depend on a crash, although that'd be pretty
stupid). Nothing to fix.

-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.

More information about the Ros-bugs mailing list