/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Copyright (c) 1993 Microsoft Corporation Module Name : misc.c Abstract : Contains miscelaneous helper routines. Author : David Kays dkays December 1993. Revision History : ---------------------------------------------------------------------*/ #include "ndrp.h" #include "attack.h" uchar * NdrpMemoryIncrement( PMIDL_STUB_MESSAGE pStubMsg, uchar * pMemory, PFORMAT_STRING pFormat ) /*++ Routine Description : Returns a memory pointer incremeted past a complex data type. This routine is also overloaded to compute the size of a complex data type by passing a 0 memory pointer. Arguments : pStubMsg - Pointer to the stub message. pMemory - Pointer to the complex type, or 0 if a size is being computed. pFormat - Format string description. Return : A memory pointer incremented past the complex type. If a 0 memory pointer was passed in then the returned value is the size of the complex type. --*/ { long Elements; long ElementSize; switch ( *pFormat ) { // // Structs // case FC_STRUCT : case FC_PSTRUCT : case FC_HARD_STRUCT : pMemory += *((ushort *)(pFormat + 2)); break; case FC_CSTRUCT : case FC_CVSTRUCT : case FC_CPSTRUCT : pMemory += *((ushort *)(pFormat + 2)); // Get conformant array or string description. pFormat += 4; pFormat += *((signed short *)pFormat); // This flag is set by the endianess pass only. if ( ! IS_TOPMOST_CONF_STRUCT( pStubMsg->uFlags ) ) { // When embedding in a bogus struct, array is accounted // at the conf struct level, due to pointer layout. // Get the memory pointer past the conformant array. pMemory = NdrpMemoryIncrement( pStubMsg, pMemory, pFormat ); } break; case FC_BOGUS_STRUCT : pMemory += *((ushort *)(pFormat + 2)); pFormat += 4; // Check for a conformant array or string in the struct. if ( *((signed short *)pFormat) ) { pFormat += *((signed short *)pFormat); if ( !IS_EMBED_CONF_STRUCT( pStubMsg->uFlags ) && ! IS_CONF_ARRAY_DONE( pStubMsg->uFlags ) ) { // Get the memory pointer past the conformant array. pMemory = NdrpMemoryIncrement( pStubMsg, pMemory, pFormat ); } } break; // // Unions // case FC_ENCAPSULATED_UNION : pMemory += HIGH_NIBBLE(pFormat[1]); pMemory += *((ushort *)(pFormat + 2)); break; case FC_NON_ENCAPSULATED_UNION : // Go to the size/arm description. pFormat += 6; CORRELATION_DESC_INCREMENT( pFormat ); pFormat += *((signed short *)pFormat); pMemory += *((ushort *)pFormat); break; // // Arrays // case FC_SMFARRAY : case FC_SMVARRAY : pMemory += *((ushort *)(pFormat + 2)); break; case FC_LGFARRAY : case FC_LGVARRAY : pMemory += *((ulong UNALIGNED *)(pFormat + 2)); break; case FC_CARRAY: case FC_CVARRAY: { ULONG_PTR ConfSize = NdrpComputeConformance( pStubMsg, pMemory, pFormat); // check for possible mulitplication overflow attack here. pMemory += MultiplyWithOverflowCheck( ConfSize, *((ushort *)(pFormat + 2)) ); } break; case FC_BOGUS_ARRAY : { PARRAY_INFO pArrayInfo = pStubMsg->pArrayInfo; if ( *((long UNALIGNED *)(pFormat + 4)) == 0xffffffff ) Elements = *((ushort *)(pFormat + 2)); else { if ( pArrayInfo && pArrayInfo->MaxCountArray && (pArrayInfo->MaxCountArray == pArrayInfo->BufferConformanceMark) ) { Elements = pArrayInfo->MaxCountArray[pArrayInfo->Dimension]; } else { Elements = (ulong) NdrpComputeConformance( pStubMsg, pMemory, pFormat ); } } // Go to the array element's description. pFormat += 12; CORRELATION_DESC_INCREMENT( pFormat ); CORRELATION_DESC_INCREMENT( pFormat ); // // Get the size of one element. // switch ( *pFormat ) { case FC_ENUM16 : ElementSize = sizeof(int); break; case FC_RP : case FC_UP : case FC_FP : case FC_OP : ElementSize = PTR_MEM_SIZE; break; case FC_EMBEDDED_COMPLEX : // // It's some complicated thingy. // pFormat += 2; pFormat += *((signed short *)pFormat); if ( (*pFormat == FC_TRANSMIT_AS) || (*pFormat == FC_REPRESENT_AS) || (*pFormat == FC_USER_MARSHAL) ) { // // Get the presented type size. // ElementSize = *((ushort *)(pFormat + 4)); } else { if ( pArrayInfo ) pArrayInfo->Dimension++; ElementSize = (long) ( NdrpMemoryIncrement( pStubMsg, pMemory, pFormat ) - pMemory ); if ( pArrayInfo ) pArrayInfo->Dimension--; } break; case FC_RANGE: ElementSize = SIMPLE_TYPE_MEMSIZE( (pFormat[1] & 0x0f) ); break; default : if ( IS_SIMPLE_TYPE(*pFormat) ) { ElementSize = SIMPLE_TYPE_MEMSIZE(*pFormat); break; } NDR_ASSERT(0,"NdrpMemoryIncrement : bad format char"); RpcRaiseException( RPC_S_INTERNAL_ERROR ); return 0; } // check for possible mulitplication overflow attack here. pMemory += MultiplyWithOverflowCheck( Elements, ElementSize ); } break; // // String arrays (a.k.a. non-conformant strings). // case FC_CSTRING : case FC_BSTRING : case FC_WSTRING : { ULONG ElementSize = (*pFormat == FC_WSTRING) ? sizeof(wchar_t) : sizeof(char) ; ULONG Elements = *((ushort *)(pFormat + 2)) ; // check for possible mulitplication overflow attack here. pMemory += MultiplyWithOverflowCheck( Elements, ElementSize ); } break; case FC_SSTRING : // check for possible mulitplication overflow attack here. pMemory += MultiplyWithOverflowCheck( pFormat[1], *((ushort *)(pFormat + 2) ) ); break; // // Sized conformant strings. // case FC_C_CSTRING: case FC_C_BSTRING: case FC_C_WSTRING: { PARRAY_INFO pArrayInfo = pStubMsg->pArrayInfo; ULONG ElementSize = (*pFormat == FC_C_WSTRING) ? sizeof(wchar_t) : sizeof(char); NDR_ASSERT(pFormat[1] == FC_STRING_SIZED, "NdrpMemoryIncrement : called for non-sized string"); if ( pArrayInfo && pArrayInfo->MaxCountArray && (pArrayInfo->MaxCountArray == pArrayInfo->BufferConformanceMark) ) { Elements = pArrayInfo->MaxCountArray[pArrayInfo->Dimension]; } else { Elements = (ulong) NdrpComputeConformance( pStubMsg, pMemory, pFormat ); } // check for possible mulitplication overflow attack here. pMemory += MultiplyWithOverflowCheck( Elements, ElementSize ); } break; case FC_C_SSTRING: { PARRAY_INFO pArrayInfo = pStubMsg->pArrayInfo; if ( pArrayInfo && pArrayInfo->MaxCountArray && (pArrayInfo->MaxCountArray == pArrayInfo->BufferConformanceMark) ) { Elements = pArrayInfo->MaxCountArray[pArrayInfo->Dimension]; } else { Elements = (ulong) NdrpComputeConformance( pStubMsg, pMemory, pFormat ); } // check for possible mulitplication overflow attack here. pMemory += MultiplyWithOverflowCheck( Elements, pFormat[1] ); } break; // // Transmit as, represent as, user marshal // case FC_TRANSMIT_AS : case FC_REPRESENT_AS : case FC_USER_MARSHAL : // Get the presented type size. pMemory += *((ushort *)(pFormat + 4)); break; case FC_BYTE_COUNT_POINTER: // // Should only hit this case when called from NdrSrvOutInit(). // In this case it's the total byte count allocation size we're // looking for. // // We are taking the larger of conformant size and the real data // type size, otherwise, we might give user a partially invalid // buffer, and that'll come back to bite us during sizing/marshalling { uchar * pMemory1 = pMemory; uchar * pMemory2 = pMemory; PFORMAT_STRING pFormat2 = pFormat; if ( pFormat[1] != FC_PAD ) { pMemory2 += SIMPLE_TYPE_MEMSIZE( pFormat[1] ); } else { // go pass the conformance & get to the real type pFormat2 += 6; CORRELATION_DESC_INCREMENT( pFormat2 ); pFormat2 += *((signed short *)pFormat2); pMemory2 = NdrpMemoryIncrement( pStubMsg, pMemory2, pFormat2 ); } pMemory1 += NdrpComputeConformance( pStubMsg, pMemory1, pFormat ); pMemory = ( pMemory1 > pMemory2 )? pMemory1 : pMemory2; break; } case FC_IP : pMemory += PTR_MEM_SIZE; break; case FC_RANGE: pMemory += SIMPLE_TYPE_MEMSIZE( (pFormat[1] & 0x0f) ); break; #ifdef _CS_CHAR_ case FC_CSARRAY: { uchar * OldBuffer = pStubMsg->Buffer; ulong OldSize = pStubMsg->MemorySize; pStubMsg->MemorySize = 0; pMemory += NdrCsArrayMemorySize( pStubMsg, pFormat ); pStubMsg->MemorySize = OldSize; pStubMsg->Buffer = OldBuffer; break; } case FC_CS_TAG: pMemory += sizeof( ulong ); break; #endif _CS_CHAR_ default : NDR_ASSERT(0,"NdrpMemoryIncrement : bad format char"); RpcRaiseException( RPC_S_INTERNAL_ERROR ); return 0; } return pMemory; } long NdrpArrayDimensions( PMIDL_STUB_MESSAGE pStubMsg, PFORMAT_STRING pFormat, BOOL fIgnoreStringArrays ) /*++ Routine description : This routine determines the number of dimensions in a complex array, which is the only array type which is allowed to have multiple dimensions other than an array of multiple fixed dimensions. Arguments : pFormat - Complex array's format string description. fIgnoreStringArrays - TRUE if a string array should not be counted as a dimension, FALSE if it should. Return : The number of dimensions in the array. --*/ { long Dimensions; // // Only a complex array can have multiple dimensions. // if ( *pFormat != FC_BOGUS_ARRAY ) return 1; Dimensions = 1; pFormat += 12; CORRELATION_DESC_INCREMENT( pFormat ); CORRELATION_DESC_INCREMENT( pFormat ); for ( ; *pFormat == FC_EMBEDDED_COMPLEX; ) { pFormat += 2; pFormat += *((signed short *)pFormat); // // Search for a fixed, complex, or string array. // switch ( *pFormat ) { case FC_SMFARRAY : pFormat += 4; break; case FC_LGFARRAY : pFormat += 6; break; case FC_BOGUS_ARRAY : pFormat += 12; CORRELATION_DESC_INCREMENT( pFormat ); CORRELATION_DESC_INCREMENT( pFormat ); break; case FC_CSTRING : case FC_BSTRING : case FC_WSTRING : case FC_SSTRING : case FC_C_CSTRING : case FC_C_BSTRING : case FC_C_WSTRING : case FC_C_SSTRING : // // Can't have any more dimensions after a string array. // return fIgnoreStringArrays ? Dimensions : Dimensions + 1; default : return Dimensions; } Dimensions++; } // // Get here if you have only one dimension. // return Dimensions; } long NdrpArrayElements( PMIDL_STUB_MESSAGE pStubMsg, uchar * pMemory, PFORMAT_STRING pFormat ) /*++ Routine description : This routine determines the number of elements (allocation size) in an array. Used to handle multidimensional arrays. Arguments : pStubMsg - The stub message. pMemory - The array. pFormat - Array's format string description. Return : The number of elements in the array. --*/ { long TotalSize; long ElementSize; switch ( *pFormat ) { case FC_SMFARRAY : TotalSize = (long) *((ushort *)(pFormat + 2)); pFormat += 4; break; case FC_LGFARRAY : TotalSize = *((long UNALIGNED *)(pFormat + 2)); pFormat += 6; break; case FC_SMVARRAY : return (long) *((ushort *)(pFormat + 4)); case FC_LGVARRAY : return *((long UNALIGNED *)(pFormat + 6)); case FC_BOGUS_ARRAY : if ( *((long *)(pFormat + 4)) == 0xffffffff ) return (long) *((ushort *)(pFormat + 2)); // else fall through case FC_CARRAY : case FC_CVARRAY : return (ulong) NdrpComputeConformance( pStubMsg, pMemory, pFormat ); default : NDR_ASSERT(0,"NdrpArrayElements : bad format char"); RpcRaiseException( RPC_S_INTERNAL_ERROR ); return 0; } // // We get here for a non-complex fixed array. // // Since a fixed array's format string description does not // contain the number of elements in the array, we have to compute // it by computing the array's element size and dividing this into // the total array size. // // A fixed array's child can only be a nice struct, another // fixed array, a pointer, or a simple type. // // // Skip pointer layout if one is present. // if ( *pFormat == FC_PP ) pFormat = NdrpSkipPointerLayout( pFormat ); switch ( *pFormat ) { case FC_EMBEDDED_COMPLEX : pFormat += 2; pFormat += *((signed short *)pFormat); // // We must be at FC_STRUCT, FC_PSTRUCT, FC_SMFARRAY, or FC_LGFARRAY. // All these have the total size as a short at 2 bytes past the // beginning of the description except for large fixed array. // if ( *pFormat != FC_LGFARRAY ) ElementSize = (long) *((ushort *)(pFormat + 2)); else ElementSize = *((long UNALIGNED *)(pFormat + 2)); break; // // Simple type (enum16 not possible). // default : ElementSize = SIMPLE_TYPE_MEMSIZE( *pFormat ); break; } return TotalSize / ElementSize; } void NdrpArrayVariance( PMIDL_STUB_MESSAGE pStubMsg, uchar * pMemory, PFORMAT_STRING pFormat, long * pOffset, long * pLength ) /*++ Routine description : This routine determines the offset and length values for an array. Used to handle multidimensional arrays. Arguments : pStubMsg - The stub message. pMemory - The array. pFormat - Array's format string description. pOffset - Returned offset value. pLength - Returned length value. Return : None. --*/ { switch ( *pFormat ) { case FC_SMFARRAY : case FC_LGFARRAY : case FC_CARRAY : *pOffset = 0; *pLength = NdrpArrayElements( pStubMsg, pMemory, pFormat ); break; case FC_BOGUS_ARRAY : { PFORMAT_STRING pFormatBAV = pFormat + 8; CORRELATION_DESC_INCREMENT( pFormatBAV ); if ( *((long UNALIGNED *)(pFormatBAV + 8)) == 0xffffffff ) { *pOffset = 0; *pLength = NdrpArrayElements( pStubMsg, pMemory, pFormat ); return; } } // else fall through case FC_CVARRAY : case FC_SMVARRAY : case FC_LGVARRAY : NdrpComputeVariance( pStubMsg, pMemory, pFormat ); *pOffset = (long) pStubMsg->Offset; *pLength = (long) pStubMsg->ActualCount; break; default : NDR_ASSERT(0,"NdrpArrayVariance : bad format char"); RpcRaiseException( RPC_S_INTERNAL_ERROR ); return; } } PFORMAT_STRING NdrpSkipPointerLayout( PFORMAT_STRING pFormat ) /*-- RoutineDescription : Skips a pointer layout format string description. Arguments : pFormat - Format string pointer layout description. Must currently point to the FC_PP beginning the pointer layout. Return : Format string pointer past the pointer layout. --*/ { long Pointers; NDR_ASSERT( *pFormat == FC_PP, "NdrpSkipPointerLayout : format string not at FC_PP" ); // Skip FC_PP and FC_PAD. pFormat += 2; for (;;) { switch ( *pFormat ) { case FC_END : return pFormat + 1; case FC_NO_REPEAT : pFormat += 10; break; case FC_FIXED_REPEAT : pFormat += 2; // fall through... case FC_VARIABLE_REPEAT : pFormat += 6; Pointers = *((ushort * &)pFormat)++; pFormat += Pointers * 8; break; default : NDR_ASSERT( 0, "NdrpSkipPointerLayout : bad format char" ); RpcRaiseException( RPC_S_INTERNAL_ERROR ); return 0; } } } long NdrpStringStructLen( uchar * pMemory, long ElementSize ) /*-- RoutineDescription : Determines a stringable struct's length. Arguments : pMemory - Pointer to stringable struct. ElementSize - Number of bytes of each string element. Return : Length of string. --*/ { long Length; uchar Buffer[256]; // Note : String struct element size is limited to 256 bytes. MIDL_memset( Buffer, 0, 256 ); for ( Length = 0; ; Length++ ) { if ( memcmp( pMemory, Buffer, ElementSize ) == 0 ) break; pMemory += ElementSize; } return Length; } void NdrpCheckBound( ulong Bound, int Type ) { ulong Mask; switch ( Type ) { case FC_ULONG : #if defined(__RPC_WIN64__) case FC_UINT3264 : case FC_INT3264 : #endif // // We use a mask here which will raise an exception for counts // of 2GB or more since this is the max NT allocation size. // Mask = 0x80000000UL; break; case FC_LONG : Mask = 0x80000000UL; break; case FC_USHORT : Mask = 0xffff0000UL; break; case FC_SHORT : Mask = 0xffff8000UL; break; case FC_USMALL : Mask = 0xffffff00UL; break; case FC_SMALL : Mask = 0xffffff80UL; break; case 0 : // // For variance which requires calling an auxilary expression // evaluation routine a type is not emitted in the format string. // We have to just give up. // // The same thing happens with constant conformance type // we emit zero on the var type nibble. // // we should at least check for long. Mask = 0x80000000UL; break; default : NDR_ASSERT( 0, "NdrpCheckBound : bad type" ); RpcRaiseException( RPC_S_INTERNAL_ERROR ); return; } if ( Bound & Mask ) RpcRaiseException( RPC_X_INVALID_BOUND ); }