WebDAV - crash in 64b process

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: sheep, Hacker, Stefan2, white

Post Reply
manison
New Member
New Member
Posts: 1
Joined: 2019-09-15, 20:13 UTC

WebDAV - crash in 64b process

Post by *manison » 2019-09-15, 20:49 UTC

I found a bug in the WebDAV plugin that causes crash in 64b process with high entropy VA enabled. The issue is caused by 64b pointer truncated to 32b by casting it to DWORD instead of DWORD_PTR. This leads to access violation exception. The patch is attached below.

The issue was originally reported by users of Altap Salamander who can use Total Commander plugins through my TC Proxy bridge/adapter. Altap Salamander employs high entropy VA since version 4.0.

Code: Select all

--- old/davfunc.cpp	2019-09-15 22:19:28.000000000 +0200
+++ new/davfunc.cpp	2019-09-15 22:19:28.000000000 +0200
@@ -417,14 +417,14 @@
 		}
 		_tcslcat(BrowserName,TEXT("; en_EN)"),countof(BrowserName)-1);
 	}
 	return BrowserName;
 }
 
-void __stdcall DummyCallback(HINTERNET hInternet,DWORD dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen);
-void __stdcall InternetCallback(HINTERNET hInternet,DWORD dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen);
+void __stdcall DummyCallback(HINTERNET hInternet,DWORD_PTR dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen);
+void __stdcall InternetCallback(HINTERNET hInternet,DWORD_PTR dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen);
 
 int WebDavConnect(pConnectSettings ConnectSettings)
 {
 	WORD wVersionRequested;
 	WSADATA wsaData;
 
@@ -452,13 +452,13 @@
 				opentype=INTERNET_OPEN_TYPE_PRECONFIG;
 			}
 
 			ConnectSettings->InetHandle=InternetOpen(GetBrowserName(),opentype,pproxy,NULL,INTERNET_FLAG_ASYNC);
 		}
 		if (ConnectSettings->InetHandle) {
-			InternetSetStatusCallback(ConnectSettings->InetHandle,(INTERNET_STATUS_CALLBACK)&DummyCallback);
+			InternetSetStatusCallback(ConnectSettings->InetHandle,&DummyCallback);
 
 			InternetSetOption(ConnectSettings->InetHandle, INTERNET_OPTION_PROXY_USERNAME,
 				ConnectSettings->proxyuser, _tcslen(ConnectSettings->proxyuser)+1);
 
 			//strPassword is the buffer that contains the proxy password.
 			InternetSetOption(ConnectSettings->InetHandle, INTERNET_OPTION_PROXY_PASSWORD,
@@ -2410,33 +2410,33 @@
 {
 	cbuf->lastpercent=0;
 	cbuf->dwError=0;
 	cbuf->hCreatedRequest=NULL;
 	cbuf->hHandleCreatedEvent=CreateEvent(NULL, FALSE, FALSE, NULL);
 	cbuf->hRequestCompleteEvent=CreateEvent(NULL, FALSE, FALSE, NULL);
-	InternetSetStatusCallback(ConnHandle,(INTERNET_STATUS_CALLBACK)&InternetCallback);
+	InternetSetStatusCallback(ConnHandle,&InternetCallback);
 }
 
 void CleanupContextBuf(HINTERNET ConnHandle,CONTEXTBUF* cbuf)
 {
 	CloseHandle(cbuf->hHandleCreatedEvent);
 	CloseHandle(cbuf->hRequestCompleteEvent);
-	InternetSetStatusCallback(ConnHandle,(INTERNET_STATUS_CALLBACK)&DummyCallback);
+	InternetSetStatusCallback(ConnHandle,&DummyCallback);
 }
 
 HINTERNET WINAPI AsyncHttpOpenRequest(HINTERNET hConnect,LPCTSTR lpszVerb,LPCTSTR lpszObjectName,LPCTSTR lpszVersion,LPCTSTR lpszReferrer,LPCTSTR *lplpszAcceptTypes,DWORD dwFlags,CONTEXTBUF* cbuf)
 {
 	HANDLE events[2];
 	HINTERNET openhdl;
 	ResetEvent(cbuf->hHandleCreatedEvent);
 	ResetEvent(cbuf->hRequestCompleteEvent);
 	events[0]=cbuf->hHandleCreatedEvent;
 	events[1]=cbuf->hRequestCompleteEvent;
 
 	openhdl=HttpOpenRequest(hConnect,lpszVerb,lpszObjectName,lpszVersion,
-		lpszReferrer,lplpszAcceptTypes,dwFlags,(DWORD)cbuf);
+		lpszReferrer,lplpszAcceptTypes,dwFlags,(DWORD_PTR)cbuf);
 	if (openhdl==NULL) {
 		if (GetLastError() != ERROR_IO_PENDING)
         {
             return NULL;
         }
 		DWORD waitret;
@@ -2517,13 +2517,13 @@
 			waitpercent=0;
 			LastTick=GetTickCount();  // new: no reaction for 2 seconds _during_ transfer!
 		}
 		if (LastTick>StartTick+2000)
 			if (ProgressProc(PluginNumber,NULL,NULL,cbuf->lastpercent+waitpercent)) {
 				if (!handledeleted) {
-					InternetSetStatusCallback(hRequest,(INTERNET_STATUS_CALLBACK)&DummyCallback);
+					InternetSetStatusCallback(hRequest,&DummyCallback);
 					InternetCloseHandle(hRequest);
 				}
 				handledeleted=true;
 				ok=false;
 				looprunning=false;
 			}
@@ -4268,18 +4268,18 @@
 	*/
 }
 
 //*******************************************************************************
 
 // catches callbacks coming too late!
-void __stdcall DummyCallback(HINTERNET hInternet,DWORD dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen)
+void __stdcall DummyCallback(HINTERNET hInternet,DWORD_PTR dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen)
 {
 	MessageBeep(0);
 }
 
-void __stdcall InternetCallback(HINTERNET hInternet,DWORD dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen)
+void __stdcall InternetCallback(HINTERNET hInternet,DWORD_PTR dwContext,DWORD dwInternetStatus,LPVOID lpStatusInfo,DWORD dwStatusInfoLen)
 {
 	INTERNET_ASYNC_RESULT *pRes = (INTERNET_ASYNC_RESULT *)lpStatusInfo;
 	CONTEXTBUF* cbuf=(CONTEXTBUF*)dwContext;
 
 	switch(dwInternetStatus) {
 		case INTERNET_STATUS_HANDLE_CREATED:


User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37695
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: WebDAV - crash in 64b process

Post by *ghisler(Author) » 2019-09-16, 13:32 UTC

I will check it, thanks.
Author of Total Commander
http://www.ghisler.com

Post Reply