Use file mapping to marshall message data

GlobalAlloc() is no longer supported for this purpose.
Also split out leash message marshalling code into a separate function
acquire_tkt_send_message_leash and improve string copy safety.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

ticket: 7276 (new)
queue: kfw
target_version: 1.10.4
tags: pullup

2 files changed, 126 insertions, 49 deletions

diff --git a/src/windows/leash/LeashView.cpp b/src/windows/leash/LeashView.cpp
index 96c5127eb9..0460f2c8a1 100644
--- a/src/windows/leash/LeashView.cpp
+++ b/src/windows/leash/LeashView.cpp
@@ -2729,7 +2729,7 @@ LRESULT
 CLeashView::OnObtainTGTWithParam(WPARAM wParam, LPARAM lParam)
 {
     LRESULT res = 0;
-    char * param = (char *) GlobalLock((HGLOBAL) lParam);
+    char *param = 0;
     LSH_DLGINFO_EX ldi;
     ldi.size = sizeof(ldi);
     ldi.dlgtype = DLGTYPE_PASSWD;
@@ -2737,6 +2737,14 @@ CLeashView::OnObtainTGTWithParam(WPARAM wParam, LPARAM lParam)
     ldi.title = ldi.in.title;
     ldi.username = ldi.in.username;
     ldi.realm = ldi.in.realm;
+
+    if (lParam)
+        param = (char *) MapViewOfFile((HANDLE)lParam,
+                                       FILE_MAP_ALL_ACCESS,
+                                       0,
+                                       0,
+                                       4096);
+
     if ( param ) {
         if ( *param )
             strcpy(ldi.in.title,param);
@@ -2757,7 +2765,10 @@ CLeashView::OnObtainTGTWithParam(WPARAM wParam, LPARAM lParam)
         ldi.dlgtype |= DLGFLAG_READONLYPRINC;
 
     res = pLeash_kinit_dlg_ex(m_hWnd, &ldi);
-    GlobalUnlock((HGLOBAL) lParam);
+    if (param)
+        UnmapViewOfFile(param);
+    if (lParam)
+        CloseHandle((HANDLE )lParam);
     ::SendMessage(m_hWnd, WM_COMMAND, ID_UPDATE_DISPLAY, 0);
     return res;
 }
diff --git a/src/windows/leashdll/lshfunc.c b/src/windows/leashdll/lshfunc.c
index bd12121aa1..bc86634a7d 100644
--- a/src/windows/leashdll/lshfunc.c
+++ b/src/windows/leashdll/lshfunc.c
@@ -2662,6 +2662,117 @@ Leash_reset_defaults(void)
     Leash_reset_default_preserve_kinit_settings();
 }
 
+static void
+acquire_tkt_send_msg_leash(const char *title,
+                           const char *ccachename,
+                           const char *name,
+                           const char *realm)
+{
+    DWORD leashProcessId = 0;
+    DWORD bufsize = 4096;
+    DWORD step;
+    HANDLE hLeashProcess = NULL;
+    HANDLE hMapFile = NULL;
+    HANDLE hTarget = NULL;
+    HWND hLeashWnd = FindWindow("LEASH.0WNDCLASS", NULL);
+    char *strs;
+    void *view;
+    if (!hLeashWnd)
+        // no leash window
+        return;
+
+    GetWindowThreadProcessId(hLeashWnd, &leashProcessId);
+    hLeashProcess = OpenProcess(PROCESS_DUP_HANDLE,
+                                FALSE,
+                                leashProcessId);
+    if (!hLeashProcess)
+        // can't get process handle; use GetLastError() for more info
+        return;
+
+    hMapFile = CreateFileMapping(INVALID_HANDLE_VALUE, // use paging file
+                                 NULL,                 // default security
+                                 PAGE_READWRITE,       // read/write access
+                                 0,                    // max size (high 32)
+                                 bufsize,              // max size (low 32)
+                                 NULL);                // name
+    if (!hMapFile) {
+        // GetLastError() for more info
+        CloseHandle(hLeashProcess);
+        return;
+    }
+
+    SetForegroundWindow(hLeashWnd);
+
+    view = MapViewOfFile(hMapFile,
+                         FILE_MAP_ALL_ACCESS,
+                         0,
+                         0,
+                         bufsize);
+    if (view != NULL) {
+        /* construct a marshalling of data
+         *   <title><principal><realm><ccache>
+         * then send to Leash
+         */
+        strs = (char *)view;
+        // first reserve space for three more NULLs (4 strings total)
+        bufsize -= 3;
+        // Dialog title
+        if (title != NULL)
+            strcpy_s(strs, bufsize, title);
+        else if (name != NULL && realm != NULL)
+            sprintf_s(strs, bufsize,
+                      "Obtain Kerberos TGT for %s@%s", name, realm);
+        else
+            strcpy_s(strs, bufsize, "Obtain Kerberos TGT");
+        step = strlen(strs);
+        strs += step + 1;
+        bufsize -= step;
+        // name and realm
+        if (name != NULL) {
+            strcpy_s(strs, bufsize, name);
+            step = strlen(strs);
+            strs += step + 1;
+            bufsize -= step;
+            if (realm != NULL) {
+                strcpy_s(strs, bufsize, realm);
+                step = strlen(strs);
+                strs += step + 1;
+                bufsize -= step;
+            } else {
+                *strs = 0;
+                strs++;
+            }
+        } else {
+            *strs = 0;
+            strs++;
+            *strs = 0;
+            strs++;
+        }
+
+        /* Append the ccache name */
+        if (ccachename != NULL)
+            strcpy_s(strs, bufsize, ccachename);
+        else
+            *strs = 0;
+
+        UnmapViewOfFile(view);
+    }
+    // Duplicate the file mapping handle to one leash can use
+    if (DuplicateHandle(GetCurrentProcess(),
+                        hMapFile,
+                        hLeashProcess,
+                        &hTarget,
+                        PAGE_READWRITE,
+                        FALSE,
+                        DUPLICATE_SAME_ACCESS |
+                        DUPLICATE_CLOSE_SOURCE)) {
+        /* 32809 = ID_OBTAIN_TGT_WITH_LPARAM in src/windows/leash/resource.h */
+        SendMessage(hLeashWnd, 32809, 0, (LPARAM) hTarget);
+    } else {
+        // GetLastError()
+    }
+}
+
 static int
 acquire_tkt_send_msg(krb5_context ctx, const char * title,
 		     const char * ccachename,
@@ -2756,53 +2867,8 @@ acquire_tkt_send_msg(krb5_context ctx, const char * title,
 	UnmapViewOfFile(dlginfo);
 	CloseHandle(hMap);
     } else {
-	HGLOBAL 		hData;
-	HWND hLeash = FindWindow("LEASH.0WNDCLASS", NULL);
-
-	/* construct a marshalling of data
-	 *   <title><principal><realm><ccache>
-	 * then send to Leash
-	 */
-
-	hData = GlobalAlloc( GHND, 4096 );
-	SetForegroundWindow(hLeash);
-	if ( hData && hLeash ) {
-	    char * strs = GlobalLock(hData);
-	    if ( strs ) {
-		if (title)
-		    strcpy(strs, title);
-		else if (desiredName)
-		    sprintf(strs, "Obtain Kerberos TGT for %s@%s",desiredName,desiredRealm);
-		else
-		    strcpy(strs, "Obtain Kerberos TGT");
-		strs += strlen(strs) + 1;
-		if ( desiredName ) {
-		    strcpy(strs, desiredName);
-		    strs += strlen(strs) + 1;
-		    if (desiredRealm) {
-			strcpy(strs, desiredRealm);
-			strs += strlen(strs) + 1;
-		    }
-		} else {
-		    *strs = 0;
-		    strs++;
-		    *strs = 0;
-		    strs++;
-		}
-
-		/* Append the ccache name */
-		if (ccachename)
-		    strcpy(strs, ccachename);
-		else
-		    *strs = 0;
-		strs++;
-
-		GlobalUnlock( hData );
-		/* 32809 = ID_OBTAIN_TGT_WITH_LPARAM in src/windows/leash/resource.h */
-		SendMessage(hLeash, 32809, 0, (LPARAM) hData);
-	    }
-	}
-	GlobalFree( hData );
+        acquire_tkt_send_msg_leash(title,
+                                   ccachename, desiredName, desiredRealm);
     }
 
     SetForegroundWindow(hForeground);