From bda368a515dc80afe90f2a35c3eb123b2489aa9f Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Mon, 13 Sep 2010 08:29:45 +0000
Subject: [PATCH] Create, and use for all loads of system DLLs, a wrapper
 function called load_system32_dll() which constructs a full pathname for the
 DLL using GetSystemDirectory.

The only DLL load not covered by this change is the one for
gssapi32.dll, because that one's not in the system32 directory.


git-svn-id: svn://svn.tartarus.org/sgt/putty@8993 cda61777-01e9-0310-a592-d414129be87e
---
 windows/window.c   |  2 +-
 windows/wingss.c   |  2 +-
 windows/winhelp.c  |  2 +-
 windows/winmisc.c  | 29 ++++++++++++++++++++++++++++-
 windows/winnet.c   |  6 +++---
 windows/winpgnt.c  |  2 +-
 windows/winstore.c |  2 +-
 windows/winstuff.h |  1 +
 8 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/windows/window.c b/windows/window.c
index 18a11093..2b80430d 100644
--- a/windows/window.c
+++ b/windows/window.c
@@ -5019,7 +5019,7 @@ DECL_WINDOWS_FUNCTION(static, BOOL, FlashWindowEx, (PFLASHWINFO));
 
 static void init_flashwindow(void)
 {
-    HMODULE user32_module = LoadLibrary("USER32.DLL");
+    HMODULE user32_module = load_system32_dll("user32.dll");
     GET_WINDOWS_FUNCTION(user32_module, FlashWindowEx);
 }
 
diff --git a/windows/wingss.c b/windows/wingss.c
index 5f45c98b..ac0b3cfa 100644
--- a/windows/wingss.c
+++ b/windows/wingss.c
@@ -102,7 +102,7 @@ void ssh_gss_init(void)
     }
 
     /* Microsoft SSPI Implementation */
-    module = LoadLibrary("secur32.dll");
+    module = load_system32_dll("secur32.dll");
     if (module) {
 	struct ssh_gss_library *lib =
 	    &ssh_gss_libraries[n_ssh_gss_libraries++];
diff --git a/windows/winhelp.c b/windows/winhelp.c
index 078b724e..a8d63a50 100644
--- a/windows/winhelp.c
+++ b/windows/winhelp.c
@@ -55,7 +55,7 @@ void init_help(void)
     } else
 	chm_path = NULL;
     if (chm_path) {
-	HINSTANCE dllHH = LoadLibrary("hhctrl.ocx");
+	HINSTANCE dllHH = load_system32_dll("hhctrl.ocx");
 	GET_WINDOWS_FUNCTION(dllHH, HtmlHelpA);
 	if (!p_HtmlHelpA) {
 	    chm_path = NULL;
diff --git a/windows/winmisc.c b/windows/winmisc.c
index c7ac8357..d05a07ab 100644
--- a/windows/winmisc.c
+++ b/windows/winmisc.c
@@ -49,7 +49,7 @@ char *get_username(void)
 	static int tried_usernameex = FALSE;
 	if (!tried_usernameex) {
 	    /* Not available on Win9x, so load dynamically */
-	    HMODULE secur32 = LoadLibrary("SECUR32.DLL");
+	    HMODULE secur32 = load_system32_dll("secur32.dll");
 	    GET_WINDOWS_FUNCTION(secur32, GetUserNameExA);
 	    tried_usernameex = TRUE;
 	}
@@ -105,6 +105,33 @@ BOOL init_winver(void)
     return GetVersionEx ( (OSVERSIONINFO *) &osVersion);
 }
 
+HMODULE load_system32_dll(const char *libname)
+{
+    /*
+     * Wrapper function to load a DLL out of c:\windows\system32
+     * without going through the full DLL search path. (Hence no
+     * attack is possible by placing a substitute DLL earlier on that
+     * path.)
+     */
+    static char *sysdir = NULL;
+    char *fullpath;
+    HMODULE ret;
+
+    if (!sysdir) {
+	int size = 0, len;
+	do {
+	    size = 3*size/2 + 512;
+	    sysdir = sresize(sysdir, size, char);
+	    len = GetSystemDirectory(sysdir, size);
+	} while (len >= size);
+    }
+
+    fullpath = dupcat(sysdir, "\\", libname, NULL);
+    ret = LoadLibrary(fullpath);
+    sfree(fullpath);
+    return ret;
+}
+
 #ifdef DEBUG
 static FILE *debug_fp = NULL;
 static HANDLE debug_hdl = INVALID_HANDLE_VALUE;
diff --git a/windows/winnet.c b/windows/winnet.c
index 27400724..da291c3e 100644
--- a/windows/winnet.c
+++ b/windows/winnet.c
@@ -227,9 +227,9 @@ void sk_init(void)
 #ifndef NO_IPV6
     winsock2_module =
 #endif
-        winsock_module = LoadLibrary("WS2_32.DLL");
+        winsock_module = load_system32_dll("ws2_32.dll");
     if (!winsock_module) {
-	winsock_module = LoadLibrary("WSOCK32.DLL");
+	winsock_module = load_system32_dll("wsock32.dll");
     }
     if (!winsock_module)
 	fatalbox("Unable to load any WinSock library");
@@ -246,7 +246,7 @@ void sk_init(void)
 	GET_WINDOWS_FUNCTION(winsock_module, gai_strerror);
     } else {
 	/* Fall back to wship6.dll for Windows 2000 */
-	wship6_module = LoadLibrary("wship6.dll");
+	wship6_module = load_system32_dll("wship6.dll");
 	if (wship6_module) {
 #ifdef NET_SETUP_DIAGNOSTICS
 	    logevent(NULL, "WSH IPv6 support detected");
diff --git a/windows/winpgnt.c b/windows/winpgnt.c
index 825c3605..d592a5e6 100644
--- a/windows/winpgnt.c
+++ b/windows/winpgnt.c
@@ -1972,7 +1972,7 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 	/*
 	 * Attempt to get the security API we need.
 	 */
-	advapi = LoadLibrary("ADVAPI32.DLL");
+	advapi = load_system32_dll("advapi32.dll");
 	GET_WINDOWS_FUNCTION(advapi, GetSecurityInfo);
 	if (!p_GetSecurityInfo) {
 	    MessageBox(NULL,
diff --git a/windows/winstore.c b/windows/winstore.c
index d011dbfa..6e804346 100644
--- a/windows/winstore.c
+++ b/windows/winstore.c
@@ -497,7 +497,7 @@ static HANDLE access_random_seed(int action)
 	 * on older versions of Windows if we cared enough.
 	 * However, the invocation below requires IE5+ anyway,
 	 * so stuff that. */
-	shell32_module = LoadLibrary("SHELL32.DLL");
+	shell32_module = load_system32_dll("shell32.dll");
 	GET_WINDOWS_FUNCTION(shell32_module, SHGetFolderPathA);
 	tried_shgetfolderpath = TRUE;
     }
diff --git a/windows/winstuff.h b/windows/winstuff.h
index 99bda104..23177485 100644
--- a/windows/winstuff.h
+++ b/windows/winstuff.h
@@ -446,6 +446,7 @@ void show_help(HWND hwnd);
  */
 extern OSVERSIONINFO osVersion;
 BOOL init_winver(void);
+HMODULE load_system32_dll(const char *libname);
 
 /*
  * Exports from sizetip.c.
-- 
2.11.0