Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-06-05 17:30:32 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOSKRNL]

Browse source 
Don't trust the user!
Probe buffers in NtSetSystemInformation - SystemSessionCreate and in NtSetSystemInformation - SystemSessionDetach

svn path=/trunk/; revision=68221
This commit is contained in:
Pierre Schweitzer 2015-06-21 05:40:15 +00:00
parent 4453279e3e
commit 103e282d2d
1 changed files with 36 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
reactos/ntoskrnl/ex/sysinfo.c
View file

@ -2068,10 +2068,31 @@ SSI_DEF(SystemSessionCreate)
{ {
return STATUS_PRIVILEGE_NOT_HELD; return STATUS_PRIVILEGE_NOT_HELD;
} }
_SEH2_TRY
{
ProbeForWriteUlong(Buffer);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
} }
Status = MmSessionCreate(&SessionId); Status = MmSessionCreate(&SessionId);
if (NT_SUCCESS(Status)) *(PULONG)Buffer = SessionId; if (NT_SUCCESS(Status))
{
_SEH2_TRY
{
*(PULONG)Buffer = SessionId;
}
_SEH2_EXCEPT(ExSystemExceptionFilter())
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
}
return Status; return Status;
} }
@ -2091,9 +2112,21 @@ SSI_DEF(SystemSessionDetach)
{ {
return STATUS_PRIVILEGE_NOT_HELD; return STATUS_PRIVILEGE_NOT_HELD;
} }
}
_SEH2_TRY
{
SessionId = ProbeForReadUlong(Buffer);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
else
{
SessionId = *(PULONG)Buffer; SessionId = *(PULONG)Buffer;
}
return MmSessionDelete(SessionId); return MmSessionDelete(SessionId);
} }