Anyone ever noticed this bug in FastFat (and seemingly in NTFS):
if ( (*Length - FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] )) >= 10 ) {
BytesToCopy = 10;
*Length -= FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] ) + 10;
Status = STATUS_SUCCESS;
} else {
BytesToCopy = *Length - FIELD_OFFSET(
FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0]);
*Length = 0;
Status = STATUS_BUFFER_OVERFLOW;
}
This is in FastFat.FatQueryFsAttributeInfo
Since Length is unsigned, you can imagine the problems when Length is <
FIELD_OFFSET(…).
Thanks,
Joel
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Length is guaranteed to be >= sizeof(FILE_FS_ATTRIBUTE_INFORMATION) in
the usermode service entrypoint, NtQueryVolumeInformationFile. The
kernelmode entrypoint (IoQueryVolumeInformation) you’re using to inject
the failing call doesn’t have similar safeguards; this is something the
verifier could be revved to catch for you.
-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Tuesday, March 20, 2001 7:04 AM
To: File Systems Developers
Subject: [ntfsd] bug in FastFat + NTFS?
Anyone ever noticed this bug in FastFat (and seemingly in NTFS):
if ( (*Length - FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] )) >= 10 ) {
BytesToCopy = 10;
*Length -= FIELD_OFFSET( FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0] ) + 10;
Status = STATUS_SUCCESS;
} else {
BytesToCopy = *Length - FIELD_OFFSET(
FILE_FS_ATTRIBUTE_INFORMATION,
FileSystemName[0]);
*Length = 0;
Status = STATUS_BUFFER_OVERFLOW;
}
This is in FastFat.FatQueryFsAttributeInfo
Since Length is unsigned, you can imagine the problems when Length is <
FIELD_OFFSET(…).
Thanks,
Joel
You are currently subscribed to ntfsd as: xxxxx@exchange.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com