summaryrefslogtreecommitdiffstats
path: root/src/hdwin32.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2015-03-08 10:47:50 +0100
committerChristophe Grenier <grenier@cgsecurity.org>2015-03-08 10:47:50 +0100
commitf71504c2fda87336ac177d57686bfbca22c34167 (patch)
tree47ced3f78104d51aac24f0e0b03c98238edce43f /src/hdwin32.c
parent720f62546be37d06e3944a269afdb45d4c834e66 (diff)
Fix check in file_win32_disk_get_model() and add more checks.
Thanks to "dmex" for reporting the incorrect check.
Diffstat (limited to 'src/hdwin32.c')
-rw-r--r--src/hdwin32.c22
1 files changed, 11 insertions, 11 deletions
diff --git a/src/hdwin32.c b/src/hdwin32.c
index 91a28b9..8bc76f5 100644
--- a/src/hdwin32.c
+++ b/src/hdwin32.c
@@ -62,7 +62,7 @@ void file_win32_disk_get_model(HANDLE handle, disk_t *dev, const int verbose)
&query,
sizeof (query),
&buffer,
- sizeof (buffer),
+ sizeof (buffer)-1,
&cbBytesReturned, NULL) )
{
const STORAGE_DEVICE_DESCRIPTOR * descrip = (const STORAGE_DEVICE_DESCRIPTOR *) & buffer;
@@ -75,20 +75,20 @@ void file_win32_disk_get_model(HANDLE handle, disk_t *dev, const int verbose)
log_info("IOCTL_STORAGE_QUERY_PROPERTY:\n");
dump_log(&buffer, cbBytesReturned);
}
- buffer[(cbBytesReturned < sizeof(buffer) ? cbBytesReturned : sizeof(buffer)-1)]='\0';
- if(descrip->SerialNumberOffset!=0 && descrip->SerialNumberOffset!=0xffffffff)
+ buffer[cbBytesReturned]='\0';
+ if(descrip->SerialNumberOffset!=0 && descrip->SerialNumberOffset < cbBytesReturned)
dev->serial_no=strip_dup(&buffer[descrip->SerialNumberOffset]);
- if(descrip->ProductIdOffset!=0)
+ if(descrip->ProductRevisionOffset!=0 && descrip->ProductRevisionOffset < cbBytesReturned)
dev->fw_rev=strip_dup(&buffer[descrip->ProductRevisionOffset]);
- if(offsetVendor>0)
+ if(offsetVendor > 0 && offsetVendor < cbBytesReturned)
lenVendor=strlen(&buffer[offsetVendor]);
- if(offsetProduct>0)
+ if(offsetProduct > 0 && offsetProduct < cbBytesReturned)
lenProduct=strlen(&buffer[offsetProduct]);
- if(lenVendor+lenProduct>0)
+ if(lenVendor+lenProduct > 0)
{
dev->model = (char*) MALLOC(lenVendor+1+lenProduct+1);
dev->model[0]='\0';
- if(lenVendor>0)
+ if(lenVendor>0 && offsetVendor + lenVendor <= cbBytesReturned)
{
int i;
memcpy(dev->model, &buffer[offsetVendor], lenVendor);
@@ -98,11 +98,11 @@ void file_win32_disk_get_model(HANDLE handle, disk_t *dev, const int verbose)
dev->model[++i]=' ';
dev->model[++i]='\0';
}
- if(lenProduct>0)
+ if(lenProduct>0 && offsetProduct + lenProduct <= cbBytesReturned)
{
int i;
- strncat(dev->model, &buffer[offsetProduct],lenProduct);
- for(i=strlen(dev->model)-1;i>=0 && dev->model[i]==' ';i--);
+ strncat(dev->model, &buffer[offsetProduct], lenProduct);
+ for(i=strlen(dev->model)-1; i>=0 && dev->model[i]==' '; i--);
dev->model[++i]='\0';
}
if(strlen(dev->model)>0)