- Fix null pointer dereferences

- Fix out of bounds array access - Check that we got a valid pointer from HeapAlloc - Don't close the caller's handle when we fail - Fix a memory leak - Found by Amine Khaldi svn path=/trunk/; revision=42774
2025-02-23 00:45:24 +00:00 · 2009-08-18 20:30:58 +00:00 · 2009-08-18 20:30:58 +00:00 · 3263e1f67a
commit 3263e1f67a
parent e74d2c5ce4
5 changed files with 36 additions and 18 deletions
--- a/reactos/dll/win32/iphlpapi/ifenum_reactos.c
+++ b/reactos/dll/win32/iphlpapi/ifenum_reactos.c
@ -582,6 +582,8 @@ const char *getInterfaceNameByIndex(DWORD index)

            interfaceName = HeapAlloc( GetProcessHeap(), 0,
                                       strlen(adapter_name) + 1 );
+            if (!interfaceName) return NULL;
+
            strcpy( interfaceName, adapter_name );
        }

@ -847,15 +849,14 @@ DWORD getInterfaceEntryByIndex(DWORD index, PMIB_IFROW entry)

 char *toIPAddressString(unsigned int addr, char string[16])
 {
-  if (string) {
    struct in_addr iAddr;

    iAddr.s_addr = addr;
-    /* extra-anal, just to make auditors happy */
-    strncpy(string, inet_ntoa(iAddr), 16);
-    string[16] = '\0';
-  }
-  return string;
+
+    if (string)
+        strncpy(string, inet_ntoa(iAddr), 16);
+  
+    return inet_ntoa(iAddr);
 }

 NTSTATUS addIPAddress( IPAddr Address, IPMask Mask, DWORD IfIndex,
--- a/reactos/dll/win32/iphlpapi/iphlpapi_main.c
+++ b/reactos/dll/win32/iphlpapi/iphlpapi_main.c
@ -102,6 +102,7 @@ DWORD getInterfaceGatewayByIndex(DWORD index)
 {
   DWORD ndx, retVal = 0, numRoutes = getNumRoutes();
   RouteTable *table = getRouteTable();
+   if (!table) return 0;

    for (ndx = 0; ndx < numRoutes; ndx++)
    {
@ -645,9 +646,12 @@ DWORD WINAPI GetAdaptersInfo(PIP_ADAPTER_INFO pAdapterInfo, PULONG pOutBufLen)
              DWORD addrLen = sizeof(ptr->Address), type;
              const char *ifname =
                  getInterfaceNameByIndex(table->indexes[ndx]);
+              if (!ifname) {
+                  ret = ERROR_OUTOFMEMORY;
+                  break;
+              }

              /* on Win98 this is left empty, but whatever */
-
              strncpy(ptr->AdapterName,ifname,sizeof(ptr->AdapterName));
              consumeInterfaceName(ifname);
              ptr->AdapterName[MAX_ADAPTER_NAME_LENGTH] = '\0';
@ -983,9 +987,9 @@ DWORD WINAPI GetInterfaceInfo(PIP_INTERFACE_INFO pIfTable, PULONG dwOutBufLen)
    }
    else {
      InterfaceIndexTable *table = getNonLoopbackInterfaceIndexTable();
-      TRACE("table->numIndexes == 0x%x\n", table->numIndexes);

      if (table) {
+        TRACE("table->numIndexes == 0x%x\n", table->numIndexes);
        size = sizeof(IP_INTERFACE_INFO) + (table->numIndexes) *
         sizeof(IP_ADAPTER_INDEX_MAP);
        if (*dwOutBufLen < size) {
--- a/reactos/dll/win32/iphlpapi/ipstats_reactos.c
+++ b/reactos/dll/win32/iphlpapi/ipstats_reactos.c
@ -459,6 +459,10 @@ RouteTable *getRouteTable(void)
    out_route_table = HeapAlloc( GetProcessHeap(), 0,
                                 sizeof(RouteTable) +
                                 (sizeof(RouteEntry) * (numRoutes - 1)) );
+    if (!out_route_table) {
+        closeTcpFile(tcpFile);
+        return NULL;
+    }

    out_route_table->numRoutes = numRoutes;

@ -586,6 +590,10 @@ PMIB_IPNETTABLE getArpTable(void)
    IpArpTable = HeapAlloc
 	( GetProcessHeap(), 0,
 	  sizeof(DWORD) + (sizeof(MIB_IPNETROW) * totalNumber) );
+    if (!IpArpTable) {
+        closeTcpFile(tcpFile);
+        return NULL;
+    }

    status = tdiGetEntityIDSet( tcpFile, &entitySet, &numEntities );

--- a/reactos/dll/win32/iphlpapi/registry.c
+++ b/reactos/dll/win32/iphlpapi/registry.c
@ -44,18 +44,19 @@ PWCHAR GetNthChildKeyName( HANDLE RegHandle, DWORD n ) {
  PWCHAR Value;
  DWORD ValueLen;

-  if (MaxAdapterName == -1) {
-    RegCloseKey( RegHandle );
+  if (MaxAdapterName == -1)
    return 0;
-  }

  ValueLen = MaxAdapterName;
  Value = (PWCHAR)HeapAlloc( GetProcessHeap(), 0, MaxAdapterName * sizeof(WCHAR) );
+  if (!Value) return 0;
+
  Status = RegEnumKeyExW( RegHandle, n, Value, &ValueLen,
 			  NULL, NULL, NULL, NULL );
-  if (Status != ERROR_SUCCESS)
+  if (Status != ERROR_SUCCESS) {
+    HeapFree(GetProcessHeap(), 0, Value);
    return 0;
-  else {
+  } else {
    Value[ValueLen] = 0;
    return Value;
  }
--- a/reactos/dll/win32/iphlpapi/resinfo_reactos.c
+++ b/reactos/dll/win32/iphlpapi/resinfo_reactos.c
@ -151,11 +151,13 @@ void EnumNameServers( HANDLE RegHandle, PWCHAR Interface,
 	}
 	if (ch - LastNameStart > 0) { /* A last name? */
 	    PWCHAR NameServer = malloc(((ch - LastNameStart) + 1) * sizeof(WCHAR));
-	    memcpy(NameServer,NameServerString + LastNameStart,
-		   (ch - LastNameStart) * sizeof(WCHAR));
-	    NameServer[ch - LastNameStart] = 0;
-	    cb( Interface, NameServer, Data );
-	    free(NameServer);
+            if (NameServer) {
+	        memcpy(NameServer,NameServerString + LastNameStart,
+		       (ch - LastNameStart) * sizeof(WCHAR));
+	        NameServer[ch - LastNameStart] = 0;
+	        cb( Interface, NameServer, Data );
+	        free(NameServer);
+            }
 	}
 	ConsumeRegValueString(NameServerString);
    }
@ -223,6 +225,8 @@ PIPHLP_RES_INFO getResInfo() {

    PrivateNSEnum.NumServers = ServerCount;
    DnsList = HeapAlloc(GetProcessHeap(), 0, ServerCount * sizeof(IP_ADDR_STRING));
+    if (!DnsList) return NULL;
+
    ZeroMemory(DnsList, ServerCount * sizeof(IP_ADDR_STRING));

    ResInfo = (PIPHLP_RES_INFO)RtlAllocateHeap ( GetProcessHeap(), 0, sizeof(IPHLP_RES_INFO));