Chromium Code Reviews Chromium Code Reviews
Issue 575623004:
fix sandbox memory leak (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/filesystem_interception.h" | 5 #include "sandbox/win/src/filesystem_interception.h" |
| 6 | 6 |
| 7 #include "sandbox/win/src/crosscall_client.h" | 7 #include "sandbox/win/src/crosscall_client.h" |
| 8 #include "sandbox/win/src/ipc_tags.h" | 8 #include "sandbox/win/src/ipc_tags.h" |
| 9 #include "sandbox/win/src/policy_params.h" | 9 #include "sandbox/win/src/policy_params.h" |
| 10 #include "sandbox/win/src/policy_target.h" | 10 #include "sandbox/win/src/policy_target.h" |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 28 io_status, allocation_size, | 28 io_status, allocation_size, |
| 29 file_attributes, sharing, disposition, | 29 file_attributes, sharing, disposition, |
| 30 options, ea_buffer, ea_length); | 30 options, ea_buffer, ea_length); |
| 31 if (STATUS_ACCESS_DENIED != status) | 31 if (STATUS_ACCESS_DENIED != status) |
| 32 return status; | 32 return status; |
| 33 | 33 |
| 34 // We don't trust that the IPC can work this early. | 34 // We don't trust that the IPC can work this early. |
| 35 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 35 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 36 return status; | 36 return status; |
| 37 | 37 |
| 38 wchar_t* name = NULL; | |
| 38 do { | 39 do { |
| 39 if (!ValidParameter(file, sizeof(HANDLE), WRITE)) | 40 if (!ValidParameter(file, sizeof(HANDLE), WRITE)) |
| 40 break; | 41 break; |
| 41 if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) | 42 if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) |
| 42 break; | 43 break; |
| 43 | 44 |
| 44 void* memory = GetGlobalIPCMemory(); | 45 void* memory = GetGlobalIPCMemory(); |
| 45 if (NULL == memory) | 46 if (NULL == memory) |
| 46 break; | 47 break; |
| 47 | 48 |
| 48 wchar_t* name; | |
| 49 uint32 attributes = 0; | 49 uint32 attributes = 0; |
| 50 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, | 50 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, |
| 51 NULL); | 51 NULL); |
| 52 if (!NT_SUCCESS(ret) || NULL == name) | 52 if (!NT_SUCCESS(ret) || NULL == name) |
| 53 break; | 53 break; |
| 54 | 54 |
| 55 ULONG broker = FALSE; | 55 ULONG broker = FALSE; |
| 56 CountedParameterSet<OpenFile> params; | 56 CountedParameterSet<OpenFile> params; |
| 57 params[OpenFile::NAME] = ParamPickerMake(name); | 57 params[OpenFile::NAME] = ParamPickerMake(name); |
| 58 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); | 58 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); |
| 59 params[OpenFile::OPTIONS] = ParamPickerMake(options); | 59 params[OpenFile::OPTIONS] = ParamPickerMake(options); |
| 60 params[OpenFile::BROKER] = ParamPickerMake(broker); | 60 params[OpenFile::BROKER] = ParamPickerMake(broker); |
| 61 | 61 |
| 62 if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase())) | 62 if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase())) |
| 63 break; | 63 break; |
| 64 | 64 |
| 65 SharedMemIPCClient ipc(memory); | 65 SharedMemIPCClient ipc(memory); |
| 66 CrossCallReturn answer = {0}; | 66 CrossCallReturn answer = {0}; |
| 67 // The following call must match in the parameters with | 67 // The following call must match in the parameters with |
| 68 // FilesystemDispatcher::ProcessNtCreateFile. | 68 // FilesystemDispatcher::ProcessNtCreateFile. |
| 69 ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes, | 69 ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes, |
| 70 desired_access, file_attributes, sharing, | 70 desired_access, file_attributes, sharing, |
| 71 disposition, options, &answer); | 71 disposition, options, &answer); |
| 72 | |
| 73 operator delete(name, NT_ALLOC); | |
| 74 | |
| 75 if (SBOX_ALL_OK != code) | 72 if (SBOX_ALL_OK != code) |
| 76 break; | 73 break; |
| 77 | 74 |
| 78 if (!NT_SUCCESS(answer.nt_status)) | 75 if (!NT_SUCCESS(answer.nt_status)) |
| 79 return answer.nt_status; | 76 return answer.nt_status; |
|
Yun
2014/12/15 03:08:37
Cannot return. It could cause memeory leak as well
| |
| 80 | 77 |
| 81 __try { | 78 __try { |
| 82 *file = answer.handle; | 79 *file = answer.handle; |
| 83 io_status->Status = answer.nt_status; | 80 io_status->Status = answer.nt_status; |
| 84 io_status->Information = answer.extended[0].ulong_ptr; | 81 io_status->Information = answer.extended[0].ulong_ptr; |
| 85 status = io_status->Status; | 82 status = io_status->Status; |
| 86 } __except(EXCEPTION_EXECUTE_HANDLER) { | 83 } __except(EXCEPTION_EXECUTE_HANDLER) { |
| 87 break; | 84 break; |
| 88 } | 85 } |
| 89 } while (false); | 86 } while (false); |
| 90 | 87 |
| 88 if (name) | |
| 89 operator delete(name, NT_ALLOC); | |
| 90 | |
| 91 return status; | 91 return status; |
| 92 } | 92 } |
| 93 | 93 |
| 94 NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file, | 94 NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file, |
| 95 ACCESS_MASK desired_access, | 95 ACCESS_MASK desired_access, |
| 96 POBJECT_ATTRIBUTES object_attributes, | 96 POBJECT_ATTRIBUTES object_attributes, |
| 97 PIO_STATUS_BLOCK io_status, ULONG sharing, | 97 PIO_STATUS_BLOCK io_status, ULONG sharing, |
| 98 ULONG options) { | 98 ULONG options) { |
| 99 // Check if the process can open it first. | 99 // Check if the process can open it first. |
| 100 NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes, | 100 NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes, |
| 101 io_status, sharing, options); | 101 io_status, sharing, options); |
| 102 if (STATUS_ACCESS_DENIED != status) | 102 if (STATUS_ACCESS_DENIED != status) |
| 103 return status; | 103 return status; |
| 104 | 104 |
| 105 // We don't trust that the IPC can work this early. | 105 // We don't trust that the IPC can work this early. |
| 106 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 106 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 107 return status; | 107 return status; |
| 108 | 108 |
| 109 wchar_t* name = NULL; | |
| 109 do { | 110 do { |
| 110 if (!ValidParameter(file, sizeof(HANDLE), WRITE)) | 111 if (!ValidParameter(file, sizeof(HANDLE), WRITE)) |
| 111 break; | 112 break; |
| 112 if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) | 113 if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) |
| 113 break; | 114 break; |
| 114 | 115 |
| 115 void* memory = GetGlobalIPCMemory(); | 116 void* memory = GetGlobalIPCMemory(); |
| 116 if (NULL == memory) | 117 if (NULL == memory) |
| 117 break; | 118 break; |
| 118 | 119 |
| 119 wchar_t* name; | |
| 120 uint32 attributes; | 120 uint32 attributes; |
| 121 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, | 121 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, |
| 122 NULL); | 122 NULL); |
| 123 if (!NT_SUCCESS(ret) || NULL == name) | 123 if (!NT_SUCCESS(ret) || NULL == name) |
| 124 break; | 124 break; |
| 125 | 125 |
| 126 ULONG broker = FALSE; | 126 ULONG broker = FALSE; |
| 127 CountedParameterSet<OpenFile> params; | 127 CountedParameterSet<OpenFile> params; |
| 128 params[OpenFile::NAME] = ParamPickerMake(name); | 128 params[OpenFile::NAME] = ParamPickerMake(name); |
| 129 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); | 129 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); |
| 130 params[OpenFile::OPTIONS] = ParamPickerMake(options); | 130 params[OpenFile::OPTIONS] = ParamPickerMake(options); |
| 131 params[OpenFile::BROKER] = ParamPickerMake(broker); | 131 params[OpenFile::BROKER] = ParamPickerMake(broker); |
| 132 | 132 |
| 133 if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase())) | 133 if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase())) |
| 134 break; | 134 break; |
| 135 | 135 |
| 136 SharedMemIPCClient ipc(memory); | 136 SharedMemIPCClient ipc(memory); |
| 137 CrossCallReturn answer = {0}; | 137 CrossCallReturn answer = {0}; |
| 138 ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes, | 138 ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes, |
| 139 desired_access, sharing, options, &answer); | 139 desired_access, sharing, options, &answer); |
| 140 | |
| 141 operator delete(name, NT_ALLOC); | |
| 142 | |
| 143 if (SBOX_ALL_OK != code) | 140 if (SBOX_ALL_OK != code) |
| 144 break; | 141 break; |
| 145 | 142 |
| 146 if (!NT_SUCCESS(answer.nt_status)) | 143 if (!NT_SUCCESS(answer.nt_status)) |
| 147 return answer.nt_status; | 144 return answer.nt_status; |
|
Yun
2014/12/15 03:08:37
Cannot return. It could cause memory leak as well.
| |
| 148 | 145 |
| 149 __try { | 146 __try { |
| 150 *file = answer.handle; | 147 *file = answer.handle; |
| 151 io_status->Status = answer.nt_status; | 148 io_status->Status = answer.nt_status; |
| 152 io_status->Information = answer.extended[0].ulong_ptr; | 149 io_status->Information = answer.extended[0].ulong_ptr; |
| 153 status = io_status->Status; | 150 status = io_status->Status; |
| 154 } __except(EXCEPTION_EXECUTE_HANDLER) { | 151 } __except(EXCEPTION_EXECUTE_HANDLER) { |
| 155 break; | 152 break; |
| 156 } | 153 } |
| 157 } while (false); | 154 } while (false); |
| 158 | 155 |
| 156 if (name) | |
| 157 operator delete(name, NT_ALLOC); | |
| 158 | |
| 159 return status; | 159 return status; |
| 160 } | 160 } |
| 161 | 161 |
| 162 NTSTATUS WINAPI TargetNtQueryAttributesFile( | 162 NTSTATUS WINAPI TargetNtQueryAttributesFile( |
| 163 NtQueryAttributesFileFunction orig_QueryAttributes, | 163 NtQueryAttributesFileFunction orig_QueryAttributes, |
| 164 POBJECT_ATTRIBUTES object_attributes, | 164 POBJECT_ATTRIBUTES object_attributes, |
| 165 PFILE_BASIC_INFORMATION file_attributes) { | 165 PFILE_BASIC_INFORMATION file_attributes) { |
| 166 // Check if the process can query it first. | 166 // Check if the process can query it first. |
| 167 NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes); | 167 NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes); |
| 168 if (STATUS_ACCESS_DENIED != status) | 168 if (STATUS_ACCESS_DENIED != status) |
| 169 return status; | 169 return status; |
| 170 | 170 |
| 171 // We don't trust that the IPC can work this early. | 171 // We don't trust that the IPC can work this early. |
| 172 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 172 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 173 return status; | 173 return status; |
| 174 | 174 |
| 175 wchar_t* name = NULL; | |
| 175 do { | 176 do { |
| 176 if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) | 177 if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) |
| 177 break; | 178 break; |
| 178 | 179 |
| 179 void* memory = GetGlobalIPCMemory(); | 180 void* memory = GetGlobalIPCMemory(); |
| 180 if (NULL == memory) | 181 if (NULL == memory) |
| 181 break; | 182 break; |
| 182 | 183 |
| 183 wchar_t* name = NULL; | |
| 184 uint32 attributes = 0; | 184 uint32 attributes = 0; |
| 185 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, | 185 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, |
| 186 NULL); | 186 NULL); |
| 187 if (!NT_SUCCESS(ret) || NULL == name) | 187 if (!NT_SUCCESS(ret) || NULL == name) |
| 188 break; | 188 break; |
| 189 | 189 |
| 190 InOutCountedBuffer file_info(file_attributes, | 190 InOutCountedBuffer file_info(file_attributes, |
| 191 sizeof(FILE_BASIC_INFORMATION)); | 191 sizeof(FILE_BASIC_INFORMATION)); |
| 192 | 192 |
| 193 ULONG broker = FALSE; | 193 ULONG broker = FALSE; |
| 194 CountedParameterSet<FileName> params; | 194 CountedParameterSet<FileName> params; |
| 195 params[FileName::NAME] = ParamPickerMake(name); | 195 params[FileName::NAME] = ParamPickerMake(name); |
| 196 params[FileName::BROKER] = ParamPickerMake(broker); | 196 params[FileName::BROKER] = ParamPickerMake(broker); |
| 197 | 197 |
| 198 if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase())) | 198 if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase())) |
| 199 break; | 199 break; |
| 200 | 200 |
| 201 SharedMemIPCClient ipc(memory); | 201 SharedMemIPCClient ipc(memory); |
| 202 CrossCallReturn answer = {0}; | 202 CrossCallReturn answer = {0}; |
| 203 ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name, | 203 ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name, |
| 204 attributes, file_info, &answer); | 204 attributes, file_info, &answer); |
| 205 | 205 |
| 206 operator delete(name, NT_ALLOC); | 206 operator delete(name, NT_ALLOC); |
|
Yun
2014/12/15 03:08:37
Remove it.
| |
| 207 | 207 |
| 208 if (SBOX_ALL_OK != code) | 208 if (SBOX_ALL_OK != code) |
| 209 break; | 209 break; |
| 210 | 210 |
| 211 return answer.nt_status; | 211 return answer.nt_status; |
|
Yun
2014/12/15 03:08:37
Change it as:
status = answer.nt_status;
| |
| 212 | 212 |
| 213 } while (false); | 213 } while (false); |
| 214 | 214 |
| 215 if (name) | |
| 216 operator delete(name, NT_ALLOC); | |
| 217 | |
| 215 return status; | 218 return status; |
| 216 } | 219 } |
| 217 | 220 |
| 218 NTSTATUS WINAPI TargetNtQueryFullAttributesFile( | 221 NTSTATUS WINAPI TargetNtQueryFullAttributesFile( |
| 219 NtQueryFullAttributesFileFunction orig_QueryFullAttributes, | 222 NtQueryFullAttributesFileFunction orig_QueryFullAttributes, |
| 220 POBJECT_ATTRIBUTES object_attributes, | 223 POBJECT_ATTRIBUTES object_attributes, |
| 221 PFILE_NETWORK_OPEN_INFORMATION file_attributes) { | 224 PFILE_NETWORK_OPEN_INFORMATION file_attributes) { |
| 222 // Check if the process can query it first. | 225 // Check if the process can query it first. |
| 223 NTSTATUS status = orig_QueryFullAttributes(object_attributes, | 226 NTSTATUS status = orig_QueryFullAttributes(object_attributes, |
| 224 file_attributes); | 227 file_attributes); |
| 225 if (STATUS_ACCESS_DENIED != status) | 228 if (STATUS_ACCESS_DENIED != status) |
| 226 return status; | 229 return status; |
| 227 | 230 |
| 228 // We don't trust that the IPC can work this early. | 231 // We don't trust that the IPC can work this early. |
| 229 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 232 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 230 return status; | 233 return status; |
| 231 | 234 |
| 235 wchar_t* name = NULL; | |
| 232 do { | 236 do { |
| 233 if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION), | 237 if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION), |
| 234 WRITE)) | 238 WRITE)) |
| 235 break; | 239 break; |
| 236 | 240 |
| 237 void* memory = GetGlobalIPCMemory(); | 241 void* memory = GetGlobalIPCMemory(); |
| 238 if (NULL == memory) | 242 if (NULL == memory) |
| 239 break; | 243 break; |
| 240 | 244 |
| 241 wchar_t* name = NULL; | |
| 242 uint32 attributes = 0; | 245 uint32 attributes = 0; |
| 243 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, | 246 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, |
| 244 NULL); | 247 NULL); |
| 245 if (!NT_SUCCESS(ret) || NULL == name) | 248 if (!NT_SUCCESS(ret) || NULL == name) |
| 246 break; | 249 break; |
| 247 | 250 |
| 248 InOutCountedBuffer file_info(file_attributes, | 251 InOutCountedBuffer file_info(file_attributes, |
| 249 sizeof(FILE_NETWORK_OPEN_INFORMATION)); | 252 sizeof(FILE_NETWORK_OPEN_INFORMATION)); |
| 250 | 253 |
| 251 ULONG broker = FALSE; | 254 ULONG broker = FALSE; |
| 252 CountedParameterSet<FileName> params; | 255 CountedParameterSet<FileName> params; |
| 253 params[FileName::NAME] = ParamPickerMake(name); | 256 params[FileName::NAME] = ParamPickerMake(name); |
| 254 params[FileName::BROKER] = ParamPickerMake(broker); | 257 params[FileName::BROKER] = ParamPickerMake(broker); |
| 255 | 258 |
| 256 if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase())) | 259 if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase())) |
| 257 break; | 260 break; |
| 258 | 261 |
| 259 SharedMemIPCClient ipc(memory); | 262 SharedMemIPCClient ipc(memory); |
| 260 CrossCallReturn answer = {0}; | 263 CrossCallReturn answer = {0}; |
| 261 ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name, | 264 ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name, |
| 262 attributes, file_info, &answer); | 265 attributes, file_info, &answer); |
| 263 | 266 |
| 264 operator delete(name, NT_ALLOC); | 267 operator delete(name, NT_ALLOC); |
|
Yun
2014/12/15 03:08:37
Remove it.
| |
| 265 | 268 |
| 266 if (SBOX_ALL_OK != code) | 269 if (SBOX_ALL_OK != code) |
| 267 break; | 270 break; |
| 268 | 271 |
| 269 return answer.nt_status; | 272 return answer.nt_status; |
|
Yun
2014/12/15 03:08:37
Change it as:
status = answer.nt_status;
| |
| 270 } while (false); | 273 } while (false); |
| 271 | 274 |
| 275 if (name) | |
| 276 operator delete(name, NT_ALLOC); | |
| 277 | |
| 272 return status; | 278 return status; |
| 273 } | 279 } |
| 274 | 280 |
| 275 NTSTATUS WINAPI TargetNtSetInformationFile( | 281 NTSTATUS WINAPI TargetNtSetInformationFile( |
| 276 NtSetInformationFileFunction orig_SetInformationFile, HANDLE file, | 282 NtSetInformationFileFunction orig_SetInformationFile, HANDLE file, |
| 277 PIO_STATUS_BLOCK io_status, PVOID file_info, ULONG length, | 283 PIO_STATUS_BLOCK io_status, PVOID file_info, ULONG length, |
| 278 FILE_INFORMATION_CLASS file_info_class) { | 284 FILE_INFORMATION_CLASS file_info_class) { |
| 279 // Check if the process can open it first. | 285 // Check if the process can open it first. |
| 280 NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length, | 286 NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length, |
| 281 file_info_class); | 287 file_info_class); |
| 282 if (STATUS_ACCESS_DENIED != status) | 288 if (STATUS_ACCESS_DENIED != status) |
| 283 return status; | 289 return status; |
| 284 | 290 |
| 285 // We don't trust that the IPC can work this early. | 291 // We don't trust that the IPC can work this early. |
| 286 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 292 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 287 return status; | 293 return status; |
| 288 | 294 |
| 295 wchar_t* name = NULL; | |
| 289 do { | 296 do { |
| 290 void* memory = GetGlobalIPCMemory(); | 297 void* memory = GetGlobalIPCMemory(); |
| 291 if (NULL == memory) | 298 if (NULL == memory) |
| 292 break; | 299 break; |
| 293 | 300 |
| 294 if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) | 301 if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) |
| 295 break; | 302 break; |
| 296 | 303 |
| 297 if (!ValidParameter(file_info, length, READ)) | 304 if (!ValidParameter(file_info, length, READ)) |
| 298 break; | 305 break; |
| 299 | 306 |
| 300 FILE_RENAME_INFORMATION* file_rename_info = | 307 FILE_RENAME_INFORMATION* file_rename_info = |
| 301 reinterpret_cast<FILE_RENAME_INFORMATION*>(file_info); | 308 reinterpret_cast<FILE_RENAME_INFORMATION*>(file_info); |
| 302 OBJECT_ATTRIBUTES object_attributes; | 309 OBJECT_ATTRIBUTES object_attributes; |
| 303 UNICODE_STRING object_name; | 310 UNICODE_STRING object_name; |
| 304 InitializeObjectAttributes(&object_attributes, &object_name, 0, NULL, NULL); | 311 InitializeObjectAttributes(&object_attributes, &object_name, 0, NULL, NULL); |
| 305 | 312 |
| 306 __try { | 313 __try { |
| 307 if (!IsSupportedRenameCall(file_rename_info, length, file_info_class)) | 314 if (!IsSupportedRenameCall(file_rename_info, length, file_info_class)) |
| 308 break; | 315 break; |
| 309 | 316 |
| 310 object_attributes.RootDirectory = file_rename_info->RootDirectory; | 317 object_attributes.RootDirectory = file_rename_info->RootDirectory; |
| 311 object_name.Buffer = file_rename_info->FileName; | 318 object_name.Buffer = file_rename_info->FileName; |
| 312 object_name.Length = object_name.MaximumLength = | 319 object_name.Length = object_name.MaximumLength = |
| 313 static_cast<USHORT>(file_rename_info->FileNameLength); | 320 static_cast<USHORT>(file_rename_info->FileNameLength); |
| 314 } __except(EXCEPTION_EXECUTE_HANDLER) { | 321 } __except(EXCEPTION_EXECUTE_HANDLER) { |
| 315 break; | 322 break; |
| 316 } | 323 } |
| 317 | 324 |
| 318 wchar_t* name; | |
| 319 NTSTATUS ret = AllocAndCopyName(&object_attributes, &name, NULL, NULL); | 325 NTSTATUS ret = AllocAndCopyName(&object_attributes, &name, NULL, NULL); |
| 320 if (!NT_SUCCESS(ret) || !name) | 326 if (!NT_SUCCESS(ret) || !name) |
| 321 break; | 327 break; |
| 322 | 328 |
| 323 ULONG broker = FALSE; | 329 ULONG broker = FALSE; |
| 324 CountedParameterSet<FileName> params; | 330 CountedParameterSet<FileName> params; |
| 325 params[FileName::NAME] = ParamPickerMake(name); | 331 params[FileName::NAME] = ParamPickerMake(name); |
| 326 params[FileName::BROKER] = ParamPickerMake(broker); | 332 params[FileName::BROKER] = ParamPickerMake(broker); |
| 327 | 333 |
| 328 if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase())) | 334 if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase())) |
| 329 break; | 335 break; |
| 330 | 336 |
| 331 InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK)); | 337 InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK)); |
| 332 // This is actually not an InOut buffer, only In, but using InOut facility | 338 // This is actually not an InOut buffer, only In, but using InOut facility |
| 333 // really helps to simplify the code. | 339 // really helps to simplify the code. |
| 334 InOutCountedBuffer file_info_buffer(file_info, length); | 340 InOutCountedBuffer file_info_buffer(file_info, length); |
| 335 | 341 |
| 336 SharedMemIPCClient ipc(memory); | 342 SharedMemIPCClient ipc(memory); |
| 337 CrossCallReturn answer = {0}; | 343 CrossCallReturn answer = {0}; |
| 338 ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file, | 344 ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file, |
| 339 io_status_buffer, file_info_buffer, length, | 345 io_status_buffer, file_info_buffer, length, |
| 340 file_info_class, &answer); | 346 file_info_class, &answer); |
| 341 | 347 |
| 342 if (SBOX_ALL_OK != code) | 348 if (SBOX_ALL_OK != code) |
| 343 break; | 349 break; |
| 344 | 350 |
| 345 status = answer.nt_status; | 351 status = answer.nt_status; |
| 346 } while (false); | 352 } while (false); |
| 347 | 353 |
| 354 if (name) | |
| 355 operator delete(name, NT_ALLOC); | |
| 356 | |
| 348 return status; | 357 return status; |
| 349 } | 358 } |
| 350 | 359 |
| 351 } // namespace sandbox | 360 } // namespace sandbox |
| OLD | NEW |
