Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-06-05 01:10:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS:IO] Fix similar bugs in IopGetDriverNames(), IopInitializeBuiltinDriver() and IopLoadDriver().

Browse source 
- As they are initialized, some registry string values must be NULL-terminated.
- When retrieving REG_DWORD registry values, validate their length.
This commit is contained in:
Hermès Bélusca-Maïto 2021-06-10 21:20:17 +02:00
parent a82ff90b21
commit 0d28f27156
No known key found for this signature in database
GPG key ID: 3B2539C65E7B93D0
1 changed files with 9 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
ntoskrnl/io/iomgr/driver.c
View file

@ -144,7 +144,7 @@ IopGetDriverNames(
return STATUS_ILL_FORMED_SERVICE_ENTRY; return STATUS_ILL_FORMED_SERVICE_ENTRY;
} }
driverName.Length = kvInfo->DataLength - sizeof(WCHAR); driverName.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
driverName.MaximumLength = kvInfo->DataLength; driverName.MaximumLength = kvInfo->DataLength;
driverName.Buffer = ExAllocatePoolWithTag(NonPagedPool, driverName.MaximumLength, TAG_IO); driverName.Buffer = ExAllocatePoolWithTag(NonPagedPool, driverName.MaximumLength, TAG_IO);
if (!driverName.Buffer) if (!driverName.Buffer)
@ -156,6 +156,7 @@ IopGetDriverNames(
RtlMoveMemory(driverName.Buffer, RtlMoveMemory(driverName.Buffer,
(PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset), (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
driverName.Length); driverName.Length);
driverName.Buffer[driverName.Length / sizeof(WCHAR)] = UNICODE_NULL;
ExFreePool(kvInfo); ExFreePool(kvInfo);
} }
@ -204,7 +205,7 @@ IopGetDriverNames(
ExFreePoolWithTag(basicInfo, TAG_IO); ExFreePoolWithTag(basicInfo, TAG_IO);
return status; return status;
} }
if (kvInfo->Type != REG_DWORD) if (kvInfo->Type != REG_DWORD || kvInfo->DataLength != sizeof(ULONG))
{ {
ExFreePool(kvInfo); ExFreePool(kvInfo);
ExFreePoolWithTag(basicInfo, TAG_IO); // container for serviceName ExFreePoolWithTag(basicInfo, TAG_IO); // container for serviceName
@ -897,7 +898,7 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)
{ {
goto Cleanup; goto Cleanup;
} }
if (kvInfo->Type != REG_DWORD) if (kvInfo->Type != REG_DWORD || kvInfo->DataLength != sizeof(ULONG))
{ {
ExFreePool(kvInfo); ExFreePool(kvInfo);
goto Cleanup; goto Cleanup;
@ -924,7 +925,7 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)
continue; continue;
} }
instancePath.Length = kvInfo->DataLength - sizeof(WCHAR); instancePath.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
instancePath.MaximumLength = kvInfo->DataLength; instancePath.MaximumLength = kvInfo->DataLength;
instancePath.Buffer = ExAllocatePoolWithTag(NonPagedPool, instancePath.Buffer = ExAllocatePoolWithTag(NonPagedPool,
instancePath.MaximumLength, instancePath.MaximumLength,
@ -932,8 +933,9 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)
if (instancePath.Buffer) if (instancePath.Buffer)
{ {
RtlMoveMemory(instancePath.Buffer, RtlMoveMemory(instancePath.Buffer,
(PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset), (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
instancePath.Length); instancePath.Length);
instancePath.Buffer[instancePath.Length / sizeof(WCHAR)] = UNICODE_NULL;
PDEVICE_OBJECT pdo = IopGetDeviceObjectFromDeviceInstance(&instancePath); PDEVICE_OBJECT pdo = IopGetDeviceObjectFromDeviceInstance(&instancePath);
PiQueueDeviceAction(pdo, PiActionAddBootDevices, NULL, NULL); PiQueueDeviceAction(pdo, PiActionAddBootDevices, NULL, NULL);
@ -1900,6 +1902,7 @@ IopLoadDriver(
RtlMoveMemory(ImagePath.Buffer, RtlMoveMemory(ImagePath.Buffer,
(PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset), (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
ImagePath.Length); ImagePath.Length);
ImagePath.Buffer[ImagePath.Length / sizeof(WCHAR)] = UNICODE_NULL;
ExFreePool(kvInfo); ExFreePool(kvInfo);
} }
else else