Use file mapping to marshall message data

GlobalAlloc() is no longer supported for this purpose.
Also split out leash message marshalling code into a separate function
acquire_tkt_send_message_leash and improve string copy safety.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit e2ad5d74adbf3edc8a7026cad8283c0077377e81)

ticket: 7276
status: resolved

diff --git a/src/windows/leash/LeashView.cpp b/src/windows/leash/LeashView.cpp
index 96c5127eb9e64e818a82230102f3f2492858afba..0460f2c8a15a1c0b1ebebf3176fc01a8d0c5339f 100644 (file)
--- a/src/windows/leash/LeashView.cpp
+++ b/src/windows/leash/LeashView.cpp
@@ -2729,7 +2729,7 @@ LRESULT
 CLeashView::OnObtainTGTWithParam(WPARAM wParam, LPARAM lParam)
 {
     LRESULT res = 0;
-    char * param = (char *) GlobalLock((HGLOBAL) lParam);
+    char *param = 0;
     LSH_DLGINFO_EX ldi;
     ldi.size = sizeof(ldi);
     ldi.dlgtype = DLGTYPE_PASSWD;
@@ -2737,6 +2737,14 @@ CLeashView::OnObtainTGTWithParam(WPARAM wParam, LPARAM lParam)
     ldi.title = ldi.in.title;
     ldi.username = ldi.in.username;
     ldi.realm = ldi.in.realm;
+
+    if (lParam)
+        param = (char *) MapViewOfFile((HANDLE)lParam,
+                                       FILE_MAP_ALL_ACCESS,
+                                       0,
+                                       0,
+                                       4096);
+
     if ( param ) {
         if ( *param )
             strcpy(ldi.in.title,param);
@@ -2757,7 +2765,10 @@ CLeashView::OnObtainTGTWithParam(WPARAM wParam, LPARAM lParam)
         ldi.dlgtype |= DLGFLAG_READONLYPRINC;
 
     res = pLeash_kinit_dlg_ex(m_hWnd, &ldi);
-    GlobalUnlock((HGLOBAL) lParam);
+    if (param)
+        UnmapViewOfFile(param);
+    if (lParam)
+        CloseHandle((HANDLE )lParam);
     ::SendMessage(m_hWnd, WM_COMMAND, ID_UPDATE_DISPLAY, 0);
     return res;
 }

diff --git a/src/windows/leashdll/lshfunc.c b/src/windows/leashdll/lshfunc.c
index bd12121aa1b3afa4305536e008040e3e1e901354..bc86634a7dc8352dd7903d213c1784d92921f51b 100644 (file)
--- a/src/windows/leashdll/lshfunc.c
+++ b/src/windows/leashdll/lshfunc.c
@@ -2662,6 +2662,117 @@ Leash_reset_defaults(void)
     Leash_reset_default_preserve_kinit_settings();
 }
 
+static void
+acquire_tkt_send_msg_leash(const char *title,
+                           const char *ccachename,
+                           const char *name,
+                           const char *realm)
+{
+    DWORD leashProcessId = 0;
+    DWORD bufsize = 4096;
+    DWORD step;
+    HANDLE hLeashProcess = NULL;
+    HANDLE hMapFile = NULL;
+    HANDLE hTarget = NULL;
+    HWND hLeashWnd = FindWindow("LEASH.0WNDCLASS", NULL);
+    char *strs;
+    void *view;
+    if (!hLeashWnd)
+        // no leash window
+        return;
+
+    GetWindowThreadProcessId(hLeashWnd, &leashProcessId);
+    hLeashProcess = OpenProcess(PROCESS_DUP_HANDLE,
+                                FALSE,
+                                leashProcessId);
+    if (!hLeashProcess)
+        // can't get process handle; use GetLastError() for more info
+        return;
+
+    hMapFile = CreateFileMapping(INVALID_HANDLE_VALUE, // use paging file
+                                 NULL,                 // default security
+                                 PAGE_READWRITE,       // read/write access
+                                 0,                    // max size (high 32)
+                                 bufsize,              // max size (low 32)
+                                 NULL);                // name
+    if (!hMapFile) {
+        // GetLastError() for more info
+        CloseHandle(hLeashProcess);
+        return;
+    }
+
+    SetForegroundWindow(hLeashWnd);
+
+    view = MapViewOfFile(hMapFile,
+                         FILE_MAP_ALL_ACCESS,
+                         0,
+                         0,
+                         bufsize);
+    if (view != NULL) {
+        /* construct a marshalling of data
+         *   <title><principal><realm><ccache>
+         * then send to Leash
+         */
+        strs = (char *)view;
+        // first reserve space for three more NULLs (4 strings total)
+        bufsize -= 3;
+        // Dialog title
+        if (title != NULL)
+            strcpy_s(strs, bufsize, title);
+        else if (name != NULL && realm != NULL)
+            sprintf_s(strs, bufsize,
+                      "Obtain Kerberos TGT for %s@%s", name, realm);
+        else
+            strcpy_s(strs, bufsize, "Obtain Kerberos TGT");
+        step = strlen(strs);
+        strs += step + 1;
+        bufsize -= step;
+        // name and realm
+        if (name != NULL) {
+            strcpy_s(strs, bufsize, name);
+            step = strlen(strs);
+            strs += step + 1;
+            bufsize -= step;
+            if (realm != NULL) {
+                strcpy_s(strs, bufsize, realm);
+                step = strlen(strs);
+                strs += step + 1;
+                bufsize -= step;
+            } else {
+                *strs = 0;
+                strs++;
+            }
+        } else {
+            *strs = 0;
+            strs++;
+            *strs = 0;
+            strs++;
+        }
+
+        /* Append the ccache name */
+        if (ccachename != NULL)
+            strcpy_s(strs, bufsize, ccachename);
+        else
+            *strs = 0;
+
+        UnmapViewOfFile(view);
+    }
+    // Duplicate the file mapping handle to one leash can use
+    if (DuplicateHandle(GetCurrentProcess(),
+                        hMapFile,
+                        hLeashProcess,
+                        &hTarget,
+                        PAGE_READWRITE,
+                        FALSE,
+                        DUPLICATE_SAME_ACCESS |
+                        DUPLICATE_CLOSE_SOURCE)) {
+        /* 32809 = ID_OBTAIN_TGT_WITH_LPARAM in src/windows/leash/resource.h */
+        SendMessage(hLeashWnd, 32809, 0, (LPARAM) hTarget);
+    } else {
+        // GetLastError()
+    }
+}
+
 static int
 acquire_tkt_send_msg(krb5_context ctx, const char * title,
                     const char * ccachename,
@@ -2756,53 +2867,8 @@ acquire_tkt_send_msg(krb5_context ctx, const char * title,
        UnmapViewOfFile(dlginfo);
        CloseHandle(hMap);
     } else {
-       HGLOBAL                 hData;
-       HWND hLeash = FindWindow("LEASH.0WNDCLASS", NULL);
-
-       /* construct a marshalling of data
-        *   <title><principal><realm><ccache>
-        * then send to Leash
-        */
-
-       hData = GlobalAlloc( GHND, 4096 );
-       SetForegroundWindow(hLeash);
-       if ( hData && hLeash ) {
-           char * strs = GlobalLock(hData);
-           if ( strs ) {
-               if (title)
-                   strcpy(strs, title);
-               else if (desiredName)
-                   sprintf(strs, "Obtain Kerberos TGT for %s@%s",desiredName,desiredRealm);
-               else
-                   strcpy(strs, "Obtain Kerberos TGT");
-               strs += strlen(strs) + 1;
-               if ( desiredName ) {
-                   strcpy(strs, desiredName);
-                   strs += strlen(strs) + 1;
-                   if (desiredRealm) {
-                       strcpy(strs, desiredRealm);
-                       strs += strlen(strs) + 1;
-                   }
-               } else {
-                   *strs = 0;
-                   strs++;
-                   *strs = 0;
-                   strs++;
-               }
-
-               /* Append the ccache name */
-               if (ccachename)
-                   strcpy(strs, ccachename);
-               else
-                   *strs = 0;
-               strs++;
-
-               GlobalUnlock( hData );
-               /* 32809 = ID_OBTAIN_TGT_WITH_LPARAM in src/windows/leash/resource.h */
-               SendMessage(hLeash, 32809, 0, (LPARAM) hData);
-           }
-       }
-       GlobalFree( hData );
+        acquire_tkt_send_msg_leash(title,
+                                   ccachename, desiredName, desiredRealm);
     }
 
     SetForegroundWindow(hForeground);