Changeset 23916 in vbox

Timestamp:

Oct 20, 2009 5:14:40 PM (15 years ago)

Author:

vboxsync

Message:

Verify VMMREQUEST (xTracker #4336).

Location:

trunk

Files:

• include/VBox/VBoxGuestLib.h (modified) (1 diff)
• src/VBox/Additions/WINNT/VBoxGuest/VBoxGuest.cpp (modified) (1 diff)
• src/VBox/Additions/common/VBoxGuest/VBoxGuest.cpp (modified) (2 diffs)
• src/VBox/Additions/common/VBoxGuestLib/GenericRequest.cpp (modified) (1 diff)

trunk/include/VBox/VBoxGuestLib.h

@@ -156 +156 @@
  */
 DECLVBGL(void) VbglGRFree (VMMDevRequestHeader *pReq);
+
+/**
+ * Verify the generic request header.
+ *
+ * @param pReq     pointer the request header structure.
+ * @param cbReq    size of the request memory block. It should be equal to the request size
+ *                 for fixed size requests. It can be greater than the request size for
+ *                 variable size requests.
+ *
+ * @return VBox status code.
+ */
+DECLVBGL(int) VbglGRVerify (const VMMDevRequestHeader *pReq, size_t cbReq);
 /** @} */
 

trunk/src/VBox/Additions/WINNT/VBoxGuest/VBoxGuest.cpp

@@ -963 +963 @@
             CHECK_SIZE(vmmdevGetRequestSize(requestHeader->requestType));
 
+            int rc = VbglGRVerify(requestHeader, requestHeader->size);
+            if (RT_FAILURE(rc))
+            {
+                dprintf(("VBoxGuest::VBoxGuestDeviceControl: VMMREQUEST: invalid header: size %#x, expected >= %#x (hdr); type=%#x; rc %d!!\n",
+                     requestHeader->size, vmmdevGetRequestSize(requestHeader->requestType), requestHeader->requestType, rc));
+                Status = STATUS_INVALID_PARAMETER;
+                break;
+            }
+
             /* just perform the request */
             VMMDevRequestHeader *req = NULL;
 
-            int rc = VbglGRAlloc((VMMDevRequestHeader **)&req, requestHeader->size, requestHeader->requestType);
+            rc = VbglGRAlloc((VMMDevRequestHeader **)&req, requestHeader->size, requestHeader->requestType);
 
             if (RT_SUCCESS(rc))

trunk/src/VBox/Additions/common/VBoxGuest/VBoxGuest.cpp

@@ -1004 +1004 @@
         return VERR_INVALID_PARAMETER;
     }
+    int rc = VbglGRVerify(pReqHdr, cbData);
+    if (RT_FAILURE(rc))
+    {
+        Log(("VBoxGuestCommonIOCtl: VMMREQUEST: invalid header: size %#x, expected >= %#x (hdr); type=%#x; rc %d!!\n",
+             cbData, cbReq, enmType, rc));
+        return rc;
+    }
 
     /*
@@ -1013 +1020 @@
      */
     VMMDevRequestHeader *pReqCopy;
-    int rc = VbglGRAlloc(&pReqCopy, cbReq, enmType);
+    rc = VbglGRAlloc(&pReqCopy, cbReq, enmType);
     if (RT_FAILURE(rc))
     {

trunk/src/VBox/Additions/common/VBoxGuestLib/GenericRequest.cpp

@@ -24 +24 @@
 #include <iprt/assert.h>
 #include <iprt/string.h>
+
+DECLVBGL(int) VbglGRVerify (const VMMDevRequestHeader *pReq, size_t cbReq)
+{
+    if (!pReq || cbReq < sizeof (VMMDevRequestHeader))
+    {
+        dprintf(("VbglGRVerify: Invalid parameter: pReq = %p, cbReq = %d\n", pReq, cbReq));
+        return VERR_INVALID_PARAMETER;
+    }
+
+    if (pReq->size > cbReq)
+    {
+        dprintf(("VbglGRVerify: request size %d > buffer size %d\n", pReq->size, cbReq));
+        return VERR_INVALID_PARAMETER;
+    }
+
+    /* The request size must correspond to the request type. */
+    size_t cbReqExpected = vmmdevGetRequestSize(pReq->requestType);
+
+    if (cbReq < cbReqExpected)
+    {
+        dprintf(("VbglGRVerify: buffer size %d < expected size %d\n", cbReq, cbReqExpected));
+        return VERR_INVALID_PARAMETER;
+    }
+
+    if (cbReqExpected == cbReq)
+    {
+        /* This is most likely a fixed size request, and in this case the request size
+         * must be also equal to the expected size.
+         */
+        if (pReq->size != cbReqExpected)
+        {
+            dprintf(("VbglGRVerify: request size %d != expected size %d\n", pReq->size, cbReqExpected));
+            return VERR_INVALID_PARAMETER;
+        }
+
+        return VINF_SUCCESS;
+    }
+
+    /* This can be a variable size request. Check the request type and limit the size
+     * to VMMDEV_MAX_VMMDEVREQ_SIZE, which is max size supported by the host. 
+     */
+    if (   pReq->requestType == VMMDevReq_LogString
+        || pReq->requestType == VMMDevReq_VideoSetVisibleRegion
+        || pReq->requestType == VMMDevReq_SetPointerShape
+#ifdef VBOX_WITH_64_BITS_GUESTS
+        || pReq->requestType == VMMDevReq_HGCMCall32
+        || pReq->requestType == VMMDevReq_HGCMCall64
+#else
+        || pReq->requestType == VMMDevReq_HGCMCall
+#endif /* VBOX_WITH_64_BITS_GUESTS */
+        || pReq->requestType == VMMDevReq_ChangeMemBalloon)
+    {
+        if (cbReq > VMMDEV_MAX_VMMDEVREQ_SIZE)
+        {
+            dprintf(("VbglGRVerify: VMMDevReq_LogString: buffer size %d too big\n", cbReq));
+            return VERR_BUFFER_OVERFLOW; /* @todo is this error code ok? */
+        }
+    }
+    else
+    {
+        dprintf(("VbglGRVerify: request size %d > buffer size %d\n", pReq->size, cbReq));
+        return VERR_IO_BAD_LENGTH; /* @todo is this error code ok? */
+    }
+
+    return VINF_SUCCESS;
+}
 
 DECLVBGL(int) VbglGRAlloc (VMMDevRequestHeader **ppReq, uint32_t cbSize, VMMDevRequestType reqType)