From 0d6a879b5a1139dd8f53327dff4ef3a2257920ce Mon Sep 17 00:00:00 2001
From: Eric Kohl <eric.kohl@reactos.org>
Date: Wed, 6 Jun 2012 23:01:53 +0000
Subject: [PATCH] =?UTF-8?q?[SERVICES]=20Removing=20some=20code=20defects?=
 =?UTF-8?q?=20discovered=20by=20Coverity.=20Patch=20by=20Herm=C3=A8s=20B?=
 =?UTF-8?q?=C3=A9lusca.=20See=20issue=20#7105=20for=20more=20details.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

svn path=/trunk/; revision=56702
---
 reactos/base/system/services/driver.c    | 34 ++++++++++++++++++------
 reactos/base/system/services/rpcserver.c | 19 ++++++-------
 2 files changed, 36 insertions(+), 17 deletions(-)

diff --git a/reactos/base/system/services/driver.c b/reactos/base/system/services/driver.c
index bc7889792d5..236657d408f 100644
--- a/reactos/base/system/services/driver.c
+++ b/reactos/base/system/services/driver.c
@@ -19,19 +19,26 @@
 DWORD
 ScmLoadDriver(PSERVICE lpService)
 {
-    WCHAR szDriverPath[MAX_PATH];
+    PWSTR pszDriverPath;
     UNICODE_STRING DriverPath;
     NTSTATUS Status;
     DWORD dwError = ERROR_SUCCESS;
 
     /* Build the driver path */
-    wcscpy(szDriverPath,
+    /* 52 = wcslen(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\") */
+    pszDriverPath = HeapAlloc(GetProcessHeap(),
+                              HEAP_ZERO_MEMORY,
+                              (52 + wcslen(lpService->lpServiceName) + 1) * sizeof(WCHAR));
+    if (pszDriverPath == NULL)
+        return ERROR_NOT_ENOUGH_MEMORY;
+
+    wcscpy(pszDriverPath,
            L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
-    wcscat(szDriverPath,
+    wcscat(pszDriverPath,
            lpService->lpServiceName);
 
     RtlInitUnicodeString(&DriverPath,
-                         szDriverPath);
+                         pszDriverPath);
 
     /* FIXME: Acquire privilege */
 
@@ -45,6 +52,8 @@ ScmLoadDriver(PSERVICE lpService)
         dwError = RtlNtStatusToDosError(Status);
     }
 
+    HeapFree(GetProcessHeap(), 0, pszDriverPath);
+
     return dwError;
 }
 
@@ -52,19 +61,26 @@ ScmLoadDriver(PSERVICE lpService)
 DWORD
 ScmUnloadDriver(PSERVICE lpService)
 {
-    WCHAR szDriverPath[MAX_PATH];
+    PWSTR pszDriverPath;
     UNICODE_STRING DriverPath;
     NTSTATUS Status;
     DWORD dwError = ERROR_SUCCESS;
 
     /* Build the driver path */
-    wcscpy(szDriverPath,
+    /* 52 = wcslen(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\") */
+    pszDriverPath = HeapAlloc(GetProcessHeap(),
+                              HEAP_ZERO_MEMORY,
+                              (52 + wcslen(lpService->lpServiceName) + 1) * sizeof(WCHAR));
+    if (pszDriverPath == NULL)
+        return ERROR_NOT_ENOUGH_MEMORY;
+
+    wcscpy(pszDriverPath,
            L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
-    wcscat(szDriverPath,
+    wcscat(pszDriverPath,
            lpService->lpServiceName);
 
     RtlInitUnicodeString(&DriverPath,
-                         szDriverPath);
+                         pszDriverPath);
 
     /* FIXME: Acquire privilege */
 
@@ -77,6 +93,8 @@ ScmUnloadDriver(PSERVICE lpService)
         dwError = RtlNtStatusToDosError(Status);
     }
 
+    HeapFree(GetProcessHeap(), 0, pszDriverPath);
+
     return dwError;
 }
 
diff --git a/reactos/base/system/services/rpcserver.c b/reactos/base/system/services/rpcserver.c
index f197c3a9f12..db723168362 100644
--- a/reactos/base/system/services/rpcserver.c
+++ b/reactos/base/system/services/rpcserver.c
@@ -405,6 +405,11 @@ ScmConvertToBootPathName(wchar_t *CanonName, wchar_t **RelativeName)
 
     DPRINT("ScmConvertToBootPathName %S\n", CanonName);
 
+    if (!RelativeName)
+        return ERROR_INVALID_PARAMETER;
+
+    *RelativeName = NULL;
+
     ServiceNameLen = wcslen(CanonName);
 
     /* First check, if it's already good */
@@ -550,7 +555,6 @@ ScmConvertToBootPathName(wchar_t *CanonName, wchar_t **RelativeName)
             if (BufferSize > 0xFFFD)
             {
                 DPRINT("Too large buffer required\n");
-                *RelativeName = 0;
 
                 if (SymbolicLinkHandle) NtClose(SymbolicLinkHandle);
                 HeapFree(GetProcessHeap(), 0, Expanded);
@@ -635,14 +639,11 @@ ScmConvertToBootPathName(wchar_t *CanonName, wchar_t **RelativeName)
     }
     else
     {
+        /* Failure */
         DPRINT("Error, Status = %08X\n", Status);
         HeapFree(GetProcessHeap(), 0, Expanded);
         return ERROR_INVALID_PARAMETER;
     }
-
-    /* Failure */
-    *RelativeName = NULL;
-    return ERROR_INVALID_PARAMETER;
 }
 
 
@@ -1114,7 +1115,7 @@ DWORD RControlService(
             DesiredAccess = SERVICE_PAUSE_CONTINUE;
             break;
 
-        case SERVICE_INTERROGATE:
+        case SERVICE_CONTROL_INTERROGATE:
             DesiredAccess = SERVICE_INTERROGATE;
             break;
 
@@ -2989,7 +2990,7 @@ DWORD RQueryServiceConfigW(
 
         lpConfig->lpDependencies = (LPWSTR)((ULONG_PTR)lpStr - (ULONG_PTR)lpConfig);
         if (lpDependencies != NULL)
-            lpStr += dwDependenciesLength * sizeof(WCHAR);
+            lpStr += dwDependenciesLength;
         else
             lpStr += (wcslen(lpStr) + 1);
 
@@ -4105,7 +4106,7 @@ DWORD RQueryServiceConfigA(
                         &lpDependencies,
                         &dwDependenciesLength);
 
-    dwRequiredSize = sizeof(QUERY_SERVICE_CONFIGW);
+    dwRequiredSize = sizeof(QUERY_SERVICE_CONFIGA);
 
     if (lpImagePath != NULL)
         dwRequiredSize += wcslen(lpImagePath) + 1;
@@ -4148,7 +4149,7 @@ DWORD RQueryServiceConfigA(
         lpStr = (LPSTR)(lpServiceConfig + 1);
 
         /* NOTE: Strings that are NULL for QUERY_SERVICE_CONFIG are pointers to empty strings.
-          Verified in WINXP*/
+           Verified in WINXP */
 
         if (lpImagePath)
         {