[ros-bugs] [Bug 3571] New: CreateServiceW incorrectly calculates the Dependencies length and sends added garbage to RCreateServiceW

ReactOS.Bugzilla at www.reactos.org ReactOS.Bugzilla at www.reactos.org
Thu Jul 24 10:22:13 CEST 2008 

http://www.reactos.org/bugzilla/show_bug.cgi?id=3571

           Summary: CreateServiceW incorrectly calculates the Dependencies
                    length and sends added garbage to RCreateServiceW
           Product: ReactOS
           Version: TRUNK
          Platform: QEmu
        OS/Version: ReactOS
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: Win32
        AssignedTo: ros-bugs at reactos.org
        ReportedBy: martinmnet at hotmail.com
         QAContact: ros-bugs at reactos.org


Created an attachment (id=2884)
 --> (http://www.reactos.org/bugzilla/attachment.cgi?id=2884)
Fixes CreateServiceA wide string creation for dependencies

Cause is in CreateServiceA

Explanation:

Parameter 11 to CreateService is
a pointer to a double null terminated array of null-separated names of
services.
In scm.c for CreateServiceA
The length of lpDependencies is calculated and a call is made to
MutiByteToWideChar to create the wide string,lpDependenciesW. 
Parameter for this call is currently -1 which
according to msdn If this param is -1 then the entire input string including
the null terminator is converted to wide string. So in this case, as ROS
implements MultiByteToWideChar, its using the null termination to know when the
multi byte string ends (in nls.c the strength length of the multibyte string).
The lpDependenciesW variable gets filled with one wide string thats is null
terminated.

lpDependenciesW is then passed to CreateServiceW.
The wide string length is then calculated in this function.
The problem is that since the wide string only contains one null termination
the code that calculates the length looks for that second null termination to
know when its done determining the wide strings length which it may or may not
find depending on what was there when memory was allocated.

Custom Debugging
(ntoskrnl/io/iomgr/driver.c:1737) Set DriverSection to ModuleObject
ed for simple PIDL's only!
fixme:(dll/win32/shell32/shlexec.c:1373) flags ignored: 0x0000000c
Entered CreateServiceA in scm.c
--->lpStr = TestDrv, last character in string is 0
--->MultiByteToWideChar complete
first wide string in lpDependenciesW is TestDrv, last character in this string
is 0
Bytes for this wide string are:
byte at pos 0 is 84
byte at pos 1 is 0
byte at pos 2 is 101
byte at pos 3 is 0
byte at pos 4 is 115
byte at pos 5 is 0
byte at pos 6 is 116
byte at pos 7 is 0
byte at pos 8 is 68
byte at pos 9 is 0
byte at pos 10 is 114
byte at pos 11 is 0
byte at pos 12 is 118
byte at pos 13 is 0
byte at pos 14 is 0
byte at pos 15 is 0
byte at pos 16 is 2
byte at pos 17 is 0
Entered CreateServiceW in scm.c
--->dwDependenciesLength is 604
(base/system/services/rpcserver.c:1679) RCreateServiceW() called


-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the Ros-bugs mailing list