From 0ddf0a06c35ce39f330564f896d45611731bb74b Mon Sep 17 00:00:00 2001
From: Erdem Ersoy <erdemersoy@erdemersoy.net>
Date: Sun, 8 Mar 2020 21:36:07 +0300
Subject: [PATCH] [TRACERT] Fix undefined behavior by fixing ReplyBuffer size.
 (#2422)

CORE-16620
---
 base/applications/network/tracert/tracert.cpp | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/base/applications/network/tracert/tracert.cpp b/base/applications/network/tracert/tracert.cpp
index da026a65d00..1cabd0a2dd0 100644
--- a/base/applications/network/tracert/tracert.cpp
+++ b/base/applications/network/tracert/tracert.cpp
@@ -377,31 +377,31 @@ RunTraceRoute()
     }
 
     BYTE SendBuffer[PACKET_SIZE];
-    ICMPV6_ECHO_REPLY ReplyBufferv6;
-#ifdef _WIN64
-    ICMP_ECHO_REPLY32 ReplyBufferv432;
-#else
-    ICMP_ECHO_REPLY ReplyBufferv4;
-#endif
+
     PVOID ReplyBuffer;
 
     DWORD ReplySize = PACKET_SIZE + SIZEOF_ICMP_ERROR + SIZEOF_IO_STATUS_BLOCK;
     if (Info.Family == AF_INET6)
     {
-        ReplyBuffer = &ReplyBufferv6;
         ReplySize += sizeof(ICMPV6_ECHO_REPLY);
     }
     else
     {
 #ifdef _WIN64
-        ReplyBuffer = &ReplyBufferv432;
         ReplySize += sizeof(ICMP_ECHO_REPLY32);
 #else
-        ReplyBuffer = &ReplyBufferv4;
         ReplySize += sizeof(ICMP_ECHO_REPLY);
 #endif
     }
 
+    HANDLE heap = GetProcessHeap();
+    ReplyBuffer = HeapAlloc(heap, HEAP_ZERO_MEMORY, ReplySize);
+    if (ReplyBuffer == NULL)
+    {
+        FreeAddrInfoW(Info.Target);
+        return false;
+    }
+
     if (Info.Family == AF_INET6)
     {
         Info.hIcmpFile = Icmp6CreateFile();
@@ -412,6 +412,7 @@ RunTraceRoute()
     }
     if (Info.hIcmpFile == INVALID_HANDLE_VALUE)
     {
+        HeapFree(heap, 0, ReplyBuffer);
         FreeAddrInfoW(Info.Target);
         return false;
     }
@@ -486,6 +487,7 @@ RunTraceRoute()
 
     OutputText(IDS_TRACE_COMPLETE);
 
+    HeapFree(heap, 0, ReplyBuffer);
     FreeAddrInfoW(Info.Target);
     if (Info.hIcmpFile)
     {