RE: Long path exploit on NTFS

From: David LeBlanc (dleblancat_private)
Date: Thu Jan 31 2002 - 09:12:38 PST

Next message: Jarno Huuskonen: "Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc"

Previous message: Scott Brewster: "Re: DoS bug on Tru64"
In reply to: hans.somersat_private: "Long path exploit on NTFS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: hans.somersat_private [mailto:hans.somersat_private] 

> > The filepath (drive + folderpath + filename) theoraticly 
> can take up to 32000 charaters if the filesystem in use is NTFS. 
> However, the way in wich Windows NT (4.0, 2000 and XP) access this 
> filesystem a maximum of 256 characters is in place. 

This isn't quite correct. If you RTFM, you find from the documentation
on CreateFile:

Windows NT/2000/XP: In the ANSI version of this function, the name is
limited to MAX_PATH characters. To extend this limit to nearly 32,000
wide characters, call the Unicode version of the function and prepend
"\\?\" to the path. For more information, see File Name Conventions. 

BTW, The Fine Manual can be found at
http://msdn.microsoft.com/library/en-us/fileio/filesio_7wmd.asp?frame=tr
ue

Clicking on the link labeled 'File Name Conventions' gives:

Process a path as a null-terminated string. The maximum length for a
path, including a trailing backslash, is given by MAX_PATH. 
The Unicode versions of several functions permit paths that exceed the
MAX_PATH length if the path has the "\\?\" prefix. The "\\?\" tells the
function to turn off path parsing. However, each component in the path
cannot be more than MAX_PATH characters long. Use the "\\?\" prefix with
paths for local storage devices and the "\\?\UNC\" prefix with paths
having the Universal Naming Convention (UNC) format. The "\\?\" is
ignored as part of the path.

So the bottom line is that you have to use the API correctly if you wish
to deal correctly with long paths, either for creation or opening. This
can pose some difficulties, as not all of the API calls are available if
long paths are used. It also understandably gives anti-virus software
some problems, as those apps probably have a primary target platform of
Win9x/ME.

This issue comes up every few years - it ought to be in a FAQ somewhere.
Perhaps I'll give it some coverage in the next edition of 'Writing
Secure Code".

David LeBlanc
dleblancat_private

Next message: Jarno Huuskonen: "Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc"
Previous message: Scott Brewster: "Re: DoS bug on Tru64"
In reply to: hans.somersat_private: "Long path exploit on NTFS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 12:18:32 PST