[ADVAPI32] Do not call the classic service handler function with an event control code

EricKohl · EricKohl · commit 7015c76c63b0 · 2025-05-27T23:37:19.000+02:00
diff --git a/dll/win32/advapi32/service/sctrl.c b/dll/win32/advapi32/service/sctrl.c
@@ -551,6 +551,7 @@ ScControlService(PACTIVE_SERVICE lpService,
                  PSCM_CONTROL_PACKET ControlPacket)
 {
     DWORD dwError = ERROR_SUCCESS;
+    DWORD dwControl;
     DWORD dwEventType = 0;
     PVOID pEventData = NULL;
 
@@ -566,29 +567,39 @@ ScControlService(PACTIVE_SERVICE lpService,
     /* Set service tag */
     NtCurrentTeb()->SubProcessTag = UlongToPtr(lpService->dwServiceTag);
 
+    dwControl = ControlPacket->dwControl;
+
     if (lpService->HandlerFunction)
     {
-        _SEH2_TRY
+        if (((dwControl >= SERVICE_CONTROL_STOP) && (dwControl <= SERVICE_CONTROL_NETBINDDISABLE)) ||
+            ((dwControl >= 128) && (dwControl <= 255)))
         {
-            (lpService->HandlerFunction)(ControlPacket->dwControl);
+            _SEH2_TRY
+            {
+                (lpService->HandlerFunction)(dwControl);
+            }
+            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+            {
+                dwError = ERROR_EXCEPTION_IN_SERVICE;
+            }
+            _SEH2_END;
         }
-        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+        else
         {
-            dwError = ERROR_EXCEPTION_IN_SERVICE;
+            dwError = ERROR_INVALID_SERVICE_CONTROL;
         }
-        _SEH2_END;
     }
     else if (lpService->HandlerFunctionEx)
     {
-        if (ControlPacket->dwControl == SERVICE_CONTROL_DEVICEEVENT)
+        if (dwControl == SERVICE_CONTROL_DEVICEEVENT)
         {
             dwEventType = *(LPDWORD)((ULONG_PTR)ControlPacket + sizeof(SCM_CONTROL_PACKET));
             pEventData = (PVOID)((ULONG_PTR)ControlPacket + sizeof(SCM_CONTROL_PACKET) + sizeof(DWORD));
         }
 
         _SEH2_TRY
         {
-            (lpService->HandlerFunctionEx)(ControlPacket->dwControl,
+            (lpService->HandlerFunctionEx)(dwControl,
                                            dwEventType,
                                            pEventData,
                                            lpService->HandlerContext);

Original file line number	Diff line number	Diff line change
`@@ -551,6 +551,7 @@ ScControlService(PACTIVE_SERVICE lpService,`
`551`	`551`	`PSCM_CONTROL_PACKET ControlPacket)`
`552`	`552`	`{`
`553`	`553`	`DWORD dwError = ERROR_SUCCESS;`
	`554`	`+ DWORD dwControl;`
`554`	`555`	`DWORD dwEventType = 0;`
`555`	`556`	`PVOID pEventData = NULL;`
`556`	`557`
`@@ -566,29 +567,39 @@ ScControlService(PACTIVE_SERVICE lpService,`
`566`	`567`	`/* Set service tag */`
`567`	`568`	`NtCurrentTeb()->SubProcessTag = UlongToPtr(lpService->dwServiceTag);`
`568`	`569`
	`570`	`+ dwControl = ControlPacket->dwControl;`
	`571`	`+`
`569`	`572`	`if (lpService->HandlerFunction)`
`570`	`573`	`{`
`571`		`- _SEH2_TRY`
	`574`	`+ if (((dwControl >= SERVICE_CONTROL_STOP) && (dwControl <= SERVICE_CONTROL_NETBINDDISABLE)) \|\|`
	`575`	`+ ((dwControl >= 128) && (dwControl <= 255)))`
`572`	`576`	`{`
`573`		`- (lpService->HandlerFunction)(ControlPacket->dwControl);`
	`577`	`+ _SEH2_TRY`
	`578`	`+ {`
	`579`	`+ (lpService->HandlerFunction)(dwControl);`
	`580`	`+ }`
	`581`	`+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)`
	`582`	`+ {`
	`583`	`+ dwError = ERROR_EXCEPTION_IN_SERVICE;`
	`584`	`+ }`
	`585`	`+ _SEH2_END;`
`574`	`586`	`}`
`575`		`- _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)`
	`587`	`+ else`
`576`	`588`	`{`
`577`		`- dwError = ERROR_EXCEPTION_IN_SERVICE;`
	`589`	`+ dwError = ERROR_INVALID_SERVICE_CONTROL;`
`578`	`590`	`}`
`579`		`- _SEH2_END;`
`580`	`591`	`}`
`581`	`592`	`else if (lpService->HandlerFunctionEx)`
`582`	`593`	`{`
`583`		`- if (ControlPacket->dwControl == SERVICE_CONTROL_DEVICEEVENT)`
	`594`	`+ if (dwControl == SERVICE_CONTROL_DEVICEEVENT)`
`584`	`595`	`{`
`585`	`596`	`dwEventType = *(LPDWORD)((ULONG_PTR)ControlPacket + sizeof(SCM_CONTROL_PACKET));`
`586`	`597`	`pEventData = (PVOID)((ULONG_PTR)ControlPacket + sizeof(SCM_CONTROL_PACKET) + sizeof(DWORD));`
`587`	`598`	`}`
`588`	`599`
`589`	`600`	`_SEH2_TRY`
`590`	`601`	`{`
`591`		`- (lpService->HandlerFunctionEx)(ControlPacket->dwControl,`
	`602`	`+ (lpService->HandlerFunctionEx)(dwControl,`
`592`	`603`	`dwEventType,`
`593`	`604`	`pEventData,`
`594`	`605`	`lpService->HandlerContext);`