mirror of
https://github.com/reactos/reactos.git
synced 2025-02-23 17:05:46 +00:00
- Add user mode buffer probing for NtCreateKey, NtEnumerateKey, NtEnumerateValueKey, NtQueryKey, NtQueryValueKey
svn path=/trunk/; revision=41839
This commit is contained in:
Dmitry Chapyshev
parent
4af59e7e33
commit
312cc46636
1 changed files with 100 additions and 2 deletions
|
|
@ -23,9 +23,9 @@ NtCreateKey(OUT PHANDLE KeyHandle,
|
|||
IN ACCESS_MASK DesiredAccess,
|
||||
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
IN ULONG TitleIndex,
|
||||
IN PUNICODE_STRING Class,
|
||||
IN PUNICODE_STRING Class OPTIONAL,
|
||||
IN ULONG CreateOptions,
|
||||
OUT PULONG Disposition)
|
||||
OUT PULONG Disposition OPTIONAL)
|
||||
{
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
|
||||
|
|
@ -58,6 +58,8 @@ NtCreateKey(OUT PHANDLE KeyHandle,
|
|||
ProbeForRead(ObjectAttributes,
|
||||
sizeof(OBJECT_ATTRIBUTES),
|
||||
sizeof(ULONG));
|
||||
|
||||
if (Disposition) ProbeForWriteUlong(Disposition);
|
||||
}
|
||||
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
|
|
@ -228,6 +230,7 @@ NtEnumerateKey(IN HANDLE KeyHandle,
|
|||
IN ULONG Length,
|
||||
OUT PULONG ResultLength)
|
||||
{
|
||||
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
|
||||
NTSTATUS Status;
|
||||
PCM_KEY_BODY KeyObject;
|
||||
REG_ENUMERATE_KEY_INFORMATION EnumerateKeyInfo;
|
||||
|
|
@ -254,6 +257,29 @@ NtEnumerateKey(IN HANDLE KeyHandle,
|
|||
NULL);
|
||||
if (!NT_SUCCESS(Status)) return Status;
|
||||
|
||||
if (PreviousMode != KernelMode)
|
||||
{
|
||||
_SEH2_TRY
|
||||
{
|
||||
ProbeForWriteUlong(ResultLength);
|
||||
ProbeForWrite(KeyInformation,
|
||||
Length,
|
||||
sizeof(ULONG));
|
||||
}
|
||||
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
Status = _SEH2_GetExceptionCode();
|
||||
}
|
||||
_SEH2_END;
|
||||
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
/* Dereference and return status */
|
||||
ObDereferenceObject(KeyObject);
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
/* Setup the callback */
|
||||
PostOperationInfo.Object = (PVOID)KeyObject;
|
||||
EnumerateKeyInfo.Object = (PVOID)KeyObject;
|
||||
|
|
@ -293,6 +319,7 @@ NtEnumerateValueKey(IN HANDLE KeyHandle,
|
|||
IN ULONG Length,
|
||||
OUT PULONG ResultLength)
|
||||
{
|
||||
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
|
||||
NTSTATUS Status;
|
||||
PCM_KEY_BODY KeyObject;
|
||||
REG_ENUMERATE_VALUE_KEY_INFORMATION EnumerateValueKeyInfo;
|
||||
|
|
@ -319,6 +346,29 @@ NtEnumerateValueKey(IN HANDLE KeyHandle,
|
|||
NULL);
|
||||
if (!NT_SUCCESS(Status)) return Status;
|
||||
|
||||
if (PreviousMode != KernelMode)
|
||||
{
|
||||
_SEH2_TRY
|
||||
{
|
||||
ProbeForWriteUlong(ResultLength);
|
||||
ProbeForWrite(KeyValueInformation,
|
||||
Length,
|
||||
sizeof(ULONG));
|
||||
}
|
||||
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
Status = _SEH2_GetExceptionCode();
|
||||
}
|
||||
_SEH2_END;
|
||||
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
/* Dereference and return status */
|
||||
ObDereferenceObject(KeyObject);
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
/* Setup the callback */
|
||||
PostOperationInfo.Object = (PVOID)KeyObject;
|
||||
EnumerateValueKeyInfo.Object = (PVOID)KeyObject;
|
||||
|
|
@ -358,6 +408,7 @@ NtQueryKey(IN HANDLE KeyHandle,
|
|||
IN ULONG Length,
|
||||
OUT PULONG ResultLength)
|
||||
{
|
||||
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
|
||||
NTSTATUS Status;
|
||||
PCM_KEY_BODY KeyObject;
|
||||
REG_QUERY_KEY_INFORMATION QueryKeyInfo;
|
||||
|
|
@ -414,6 +465,29 @@ NtQueryKey(IN HANDLE KeyHandle,
|
|||
/* Quit on failure */
|
||||
if (!NT_SUCCESS(Status)) return Status;
|
||||
|
||||
if (PreviousMode != KernelMode)
|
||||
{
|
||||
_SEH2_TRY
|
||||
{
|
||||
ProbeForWriteUlong(ResultLength);
|
||||
ProbeForWrite(KeyInformation,
|
||||
Length,
|
||||
sizeof(ULONG));
|
||||
}
|
||||
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
Status = _SEH2_GetExceptionCode();
|
||||
}
|
||||
_SEH2_END;
|
||||
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
/* Dereference and return status */
|
||||
ObDereferenceObject(KeyObject);
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
/* Setup the callback */
|
||||
PostOperationInfo.Object = (PVOID)KeyObject;
|
||||
QueryKeyInfo.Object = (PVOID)KeyObject;
|
||||
|
|
@ -452,6 +526,7 @@ NtQueryValueKey(IN HANDLE KeyHandle,
|
|||
IN ULONG Length,
|
||||
OUT PULONG ResultLength)
|
||||
{
|
||||
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
|
||||
NTSTATUS Status;
|
||||
PCM_KEY_BODY KeyObject;
|
||||
REG_QUERY_VALUE_KEY_INFORMATION QueryValueKeyInfo;
|
||||
|
|
@ -470,6 +545,29 @@ NtQueryValueKey(IN HANDLE KeyHandle,
|
|||
NULL);
|
||||
if (!NT_SUCCESS(Status)) return Status;
|
||||
|
||||
if (PreviousMode != KernelMode)
|
||||
{
|
||||
_SEH2_TRY
|
||||
{
|
||||
ProbeForWriteUlong(ResultLength);
|
||||
ProbeForWrite(KeyValueInformation,
|
||||
Length,
|
||||
sizeof(ULONG));
|
||||
}
|
||||
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
Status = _SEH2_GetExceptionCode();
|
||||
}
|
||||
_SEH2_END;
|
||||
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
/* Dereference and return status */
|
||||
ObDereferenceObject(KeyObject);
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
/* Make sure the name is aligned properly */
|
||||
if ((ValueNameCopy.Length & (sizeof(WCHAR) - 1)))
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue