bug in FastFat + NTFS?

Anyone ever noticed this bug in FastFat (and seemingly in NTFS):

if ( (*Length - FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] )) >= 10 ) {

BytesToCopy = 10;
*Length -= FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] ) + 10;
Status = STATUS_SUCCESS;

} else {

BytesToCopy = *Length - FIELD_OFFSET(
FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0]);
*Length = 0;

Status = STATUS_BUFFER_OVERFLOW;
}

This is in FastFat.FatQueryFsAttributeInfo

Since Length is unsigned, you can imagine the problems when Length is <
FIELD_OFFSET(…).

Thanks,
Joel


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Length is guaranteed to be >= sizeof(FILE_FS_ATTRIBUTE_INFORMATION) in
the usermode service entrypoint, NtQueryVolumeInformationFile. The
kernelmode entrypoint (IoQueryVolumeInformation) you’re using to inject
the failing call doesn’t have similar safeguards; this is something the
verifier could be revved to catch for you.

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Tuesday, March 20, 2001 7:04 AM
To: File Systems Developers
Subject: [ntfsd] bug in FastFat + NTFS?

Anyone ever noticed this bug in FastFat (and seemingly in NTFS):
if ( (*Length - FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] )) >= 10 ) {

BytesToCopy = 10;
*Length -= FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] ) + 10;
Status = STATUS_SUCCESS;

} else {

BytesToCopy = *Length - FIELD_OFFSET(
FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0]);
*Length = 0;

Status = STATUS_BUFFER_OVERFLOW;
}

This is in FastFat.FatQueryFsAttributeInfo
Since Length is unsigned, you can imagine the problems when Length is <
FIELD_OFFSET(…).
Thanks,
Joel

You are currently subscribed to ntfsd as: xxxxx@exchange.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com