Create, and use for all loads of system DLLs, a wrapper function

called load_system32_dll() which constructs a full pathname for the
DLL using GetSystemDirectory.

The only DLL load not covered by this change is the one for
gssapi32.dll, because that one's not in the system32 directory.

[originally from svn r8993]

windows/window.c

@@ -5019,7 +5019,7 @@ DECL_WINDOWS_FUNCTION(static, BOOL, FlashWindowEx, (PFLASHWINFO));
 
 static void init_flashwindow(void)
 {
-    HMODULE user32_module = LoadLibrary("USER32.DLL");
+    HMODULE user32_module = load_system32_dll("user32.dll");
     GET_WINDOWS_FUNCTION(user32_module, FlashWindowEx);
 }
 

windows/wingss.c

@@ -102,7 +102,7 @@ void ssh_gss_init(void)
     }
 
     /* Microsoft SSPI Implementation */
-    module = LoadLibrary("secur32.dll");
+    module = load_system32_dll("secur32.dll");
     if (module) {
 	struct ssh_gss_library *lib =
 	    &ssh_gss_libraries[n_ssh_gss_libraries++];

windows/winhelp.c

@@ -55,7 +55,7 @@ void init_help(void)
     } else
 	chm_path = NULL;
     if (chm_path) {
-	HINSTANCE dllHH = LoadLibrary("hhctrl.ocx");
+	HINSTANCE dllHH = load_system32_dll("hhctrl.ocx");
 	GET_WINDOWS_FUNCTION(dllHH, HtmlHelpA);
 	if (!p_HtmlHelpA) {
 	    chm_path = NULL;

windows/winmisc.c

@@ -49,7 +49,7 @@ char *get_username(void)
 	static int tried_usernameex = FALSE;
 	if (!tried_usernameex) {
 	    /* Not available on Win9x, so load dynamically */
-	    HMODULE secur32 = LoadLibrary("SECUR32.DLL");
+	    HMODULE secur32 = load_system32_dll("secur32.dll");
 	    GET_WINDOWS_FUNCTION(secur32, GetUserNameExA);
 	    tried_usernameex = TRUE;
 	}
@@ -105,6 +105,33 @@ BOOL init_winver(void)
     return GetVersionEx ( (OSVERSIONINFO *) &osVersion);
 }
 
+HMODULE load_system32_dll(const char *libname)
+{
+    /*
+     * Wrapper function to load a DLL out of c:\windows\system32
+     * without going through the full DLL search path. (Hence no
+     * attack is possible by placing a substitute DLL earlier on that
+     * path.)
+     */
+    static char *sysdir = NULL;
+    char *fullpath;
+    HMODULE ret;
+
+    if (!sysdir) {
+	int size = 0, len;
+	do {
+	    size = 3*size/2 + 512;
+	    sysdir = sresize(sysdir, size, char);
+	    len = GetSystemDirectory(sysdir, size);
+	} while (len >= size);
+    }
+
+    fullpath = dupcat(sysdir, "\\", libname, NULL);
+    ret = LoadLibrary(fullpath);
+    sfree(fullpath);
+    return ret;
+}
+
 #ifdef DEBUG
 static FILE *debug_fp = NULL;
 static HANDLE debug_hdl = INVALID_HANDLE_VALUE;

windows/winnet.c

@@ -227,9 +227,9 @@ void sk_init(void)
 #ifndef NO_IPV6
     winsock2_module =
 #endif
-        winsock_module = LoadLibrary("WS2_32.DLL");
+        winsock_module = load_system32_dll("ws2_32.dll");
     if (!winsock_module) {
-	winsock_module = LoadLibrary("WSOCK32.DLL");
+	winsock_module = load_system32_dll("wsock32.dll");
     }
     if (!winsock_module)
 	fatalbox("Unable to load any WinSock library");
@@ -246,7 +246,7 @@ void sk_init(void)
 	GET_WINDOWS_FUNCTION(winsock_module, gai_strerror);
     } else {
 	/* Fall back to wship6.dll for Windows 2000 */
-	wship6_module = LoadLibrary("wship6.dll");
+	wship6_module = load_system32_dll("wship6.dll");
 	if (wship6_module) {
 #ifdef NET_SETUP_DIAGNOSTICS
 	    logevent(NULL, "WSH IPv6 support detected");

windows/winpgnt.c

@@ -1972,7 +1972,7 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 	/*
 	 * Attempt to get the security API we need.
 	 */
-	advapi = LoadLibrary("ADVAPI32.DLL");
+	advapi = load_system32_dll("advapi32.dll");
 	GET_WINDOWS_FUNCTION(advapi, GetSecurityInfo);
 	if (!p_GetSecurityInfo) {
 	    MessageBox(NULL,

windows/winstore.c

@@ -497,7 +497,7 @@ static HANDLE access_random_seed(int action)
 	 * on older versions of Windows if we cared enough.
 	 * However, the invocation below requires IE5+ anyway,
 	 * so stuff that. */
-	shell32_module = LoadLibrary("SHELL32.DLL");
+	shell32_module = load_system32_dll("shell32.dll");
 	GET_WINDOWS_FUNCTION(shell32_module, SHGetFolderPathA);
 	tried_shgetfolderpath = TRUE;
     }

windows/winstuff.h

@@ -446,6 +446,7 @@ void show_help(HWND hwnd);
  */
 extern OSVERSIONINFO osVersion;
 BOOL init_winver(void);
+HMODULE load_system32_dll(const char *libname);
 
 /*
  * Exports from sizetip.c.