Create, and use for all loads of system DLLs, a wrapper function

called load_system32_dll() which constructs a full pathname for the DLL using GetSystemDirectory. The only DLL load not covered by this change is the one for gssapi32.dll, because that one's not in the system32 directory. [originally from svn r8993]
2025-07-02 03:52:49 -05:00 · 2010-09-13 08:29:45 +00:00
parent 75f1d3ed94
commit 9f274bed91
8 changed files with 37 additions and 9 deletions
--- a/windows/winmisc.c
+++ b/windows/winmisc.c
@ -49,7 +49,7 @@ char *get_username(void)
 	static int tried_usernameex = FALSE;
 	if (!tried_usernameex) {
 	    /* Not available on Win9x, so load dynamically */
-	    HMODULE secur32 = LoadLibrary("SECUR32.DLL");
+	    HMODULE secur32 = load_system32_dll("secur32.dll");
 	    GET_WINDOWS_FUNCTION(secur32, GetUserNameExA);
 	    tried_usernameex = TRUE;
 	}
@ -105,6 +105,33 @@ BOOL init_winver(void)
    return GetVersionEx ( (OSVERSIONINFO *) &osVersion);
 }

+HMODULE load_system32_dll(const char *libname)
+{
+    /*
+     * Wrapper function to load a DLL out of c:\windows\system32
+     * without going through the full DLL search path. (Hence no
+     * attack is possible by placing a substitute DLL earlier on that
+     * path.)
+     */
+    static char *sysdir = NULL;
+    char *fullpath;
+    HMODULE ret;
+
+    if (!sysdir) {
+	int size = 0, len;
+	do {
+	    size = 3*size/2 + 512;
+	    sysdir = sresize(sysdir, size, char);
+	    len = GetSystemDirectory(sysdir, size);
+	} while (len >= size);
+    }
+
+    fullpath = dupcat(sysdir, "\\", libname, NULL);
+    ret = LoadLibrary(fullpath);
+    sfree(fullpath);
+    return ret;
+}
+
 #ifdef DEBUG
 static FILE *debug_fp = NULL;
 static HANDLE debug_hdl = INVALID_HANDLE_VALUE;