Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-07-01 02:10:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NTOSKRNL]

Browse source 
Don't trust the user!
Probe buffers in NtSetSystemInformation - SystemSessionCreate and in NtSetSystemInformation - SystemSessionDetach

svn path=/trunk/; revision=68221
This commit is contained in:
Pierre Schweitzer 2015-06-21 05:40:15 +00:00
parent 4453279e3e
commit 103e282d2d
1 changed files with 36 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
reactos/ntoskrnl/ex/sysinfo.c
View file

@ -2068,10 +2068,31 @@ SSI_DEF(SystemSessionCreate)
{
return STATUS_PRIVILEGE_NOT_HELD;
}
_SEH2_TRY
{
ProbeForWriteUlong(Buffer);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
Status = MmSessionCreate(&SessionId);
if (NT_SUCCESS(Status)) *(PULONG)Buffer = SessionId;
if (NT_SUCCESS(Status))
{
_SEH2_TRY
{
*(PULONG)Buffer = SessionId;
}
_SEH2_EXCEPT(ExSystemExceptionFilter())
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
}
return Status;
}
@ -2091,9 +2112,21 @@ SSI_DEF(SystemSessionDetach)
{
return STATUS_PRIVILEGE_NOT_HELD;
}
}
SessionId = *(PULONG)Buffer;
_SEH2_TRY
{
SessionId = ProbeForReadUlong(Buffer);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
else
{
SessionId = *(PULONG)Buffer;
}
return MmSessionDelete(SessionId);
}