- Get rid of possible buffer overflows and memory corruptions due to an assumption that UNICODE_STRING's buffers are always NULL-terminated.

svn path=/trunk/; revision=31565
2025-01-01 03:54:02 +00:00 · 2008-01-02 16:06:03 +00:00 · 2008-01-02 16:06:03 +00:00 · 3c0efbc70d
commit 3c0efbc70d
parent 681c695d20
2 changed files with 26 additions and 26 deletions
--- a/reactos/ntoskrnl/io/iomgr/driver.c
+++ b/reactos/ntoskrnl/io/iomgr/driver.c
@ -222,27 +222,31 @@ IopNormalizeImagePath(

   if (InputImagePath.Length == 0)
   {
-      ImagePath->Length = (33 * sizeof(WCHAR)) + ServiceName->Length;
-      ImagePath->MaximumLength = ImagePath->Length + sizeof(UNICODE_NULL);
+      ImagePath->Length = 0;
+      ImagePath->MaximumLength =
+          (33 * sizeof(WCHAR)) + ServiceName->Length + sizeof(UNICODE_NULL);
      ImagePath->Buffer = ExAllocatePool(NonPagedPool, ImagePath->MaximumLength);
      if (ImagePath->Buffer == NULL)
         return STATUS_NO_MEMORY;

-      wcscpy(ImagePath->Buffer, L"\\SystemRoot\\system32\\drivers\\");
-      wcscat(ImagePath->Buffer, ServiceName->Buffer);
-      wcscat(ImagePath->Buffer, L".sys");
+      RtlAppendUnicodeToString(ImagePath, L"\\SystemRoot\\system32\\drivers\\");
+      RtlAppendUnicodeStringToString(ImagePath, ServiceName);
+      RtlAppendUnicodeToString(ImagePath, L".sys");
   } else
   if (InputImagePath.Buffer[0] != L'\\')
   {
-      ImagePath->Length = (12 * sizeof(WCHAR)) + InputImagePath.Length;
-      ImagePath->MaximumLength = ImagePath->Length + sizeof(UNICODE_NULL);
+      ImagePath->Length = 0;
+      ImagePath->MaximumLength =
+          12 * sizeof(WCHAR) + InputImagePath.Length + sizeof(UNICODE_NULL);
      ImagePath->Buffer = ExAllocatePool(NonPagedPool, ImagePath->MaximumLength);
      if (ImagePath->Buffer == NULL)
         return STATUS_NO_MEMORY;

-      wcscpy(ImagePath->Buffer, L"\\SystemRoot\\");
-      wcscat(ImagePath->Buffer, InputImagePath.Buffer);
-      ExFreePool(InputImagePath.Buffer);
+      RtlAppendUnicodeToString(ImagePath, L"\\SystemRoot\\");
+      RtlAppendUnicodeStringToString(ImagePath, &InputImagePath);
+
+      /* Free caller's string */
+      RtlFreeUnicodeString(&InputImagePath);
   }

   return STATUS_SUCCESS;
--- a/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
+++ b/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
@ -1593,7 +1593,6 @@ IopGetParentIdPrefix(PDEVICE_NODE DeviceNode,
                     PUNICODE_STRING ParentIdPrefix)
 {
   ULONG KeyNameBufferLength;
-   PWSTR KeyNameBuffer = NULL;
   PKEY_VALUE_PARTIAL_INFORMATION ParentIdPrefixInformation = NULL;
   UNICODE_STRING KeyName;
   UNICODE_STRING KeyValue;
@ -1620,15 +1619,20 @@ IopGetParentIdPrefix(PDEVICE_NODE DeviceNode,
       Status = STATUS_INSUFFICIENT_RESOURCES;
       goto cleanup;
   }
-   KeyNameBuffer = ExAllocatePool(PagedPool, (49 * sizeof(WCHAR)) + DeviceNode->Parent->InstancePath.Length);
-   if (!KeyNameBuffer)
+
+
+   KeyName.Buffer = ExAllocatePool(PagedPool, (49 * sizeof(WCHAR)) + DeviceNode->Parent->InstancePath.Length);
+   if (!KeyName.Buffer)
   {
       Status = STATUS_INSUFFICIENT_RESOURCES;
       goto cleanup;
   }
-   wcscpy(KeyNameBuffer, L"\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\");
-   wcscat(KeyNameBuffer, DeviceNode->Parent->InstancePath.Buffer);
-   RtlInitUnicodeString(&KeyName, KeyNameBuffer);
+   KeyName.Length = 0;
+   KeyName.MaximumLength = (49 * sizeof(WCHAR)) + DeviceNode->Parent->InstancePath.Length;
+
+   RtlAppendUnicodeToString(&KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\");
+   RtlAppendUnicodeStringToString(&KeyName, &DeviceNode->Parent->InstancePath);
+
   Status = IopOpenRegistryKeyEx(&hKey, NULL, &KeyName, KEY_QUERY_VALUE | KEY_SET_VALUE);
   if (!NT_SUCCESS(Status))
      goto cleanup;
@ -1678,7 +1682,7 @@ cleanup:
      Status = RtlDuplicateUnicodeString(RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE, &KeyValue, ParentIdPrefix);
   }
   ExFreePool(ParentIdPrefixInformation);
-   ExFreePool(KeyNameBuffer);
+   RtlFreeUnicodeString(&KeyName);
   if (hKey != NULL)
      ZwClose(hKey);
   return Status;
@ -1713,7 +1717,6 @@ IopActionInterrogateDeviceStack(PDEVICE_NODE DeviceNode,
   WCHAR InstancePath[MAX_PATH];
   IO_STACK_LOCATION Stack;
   NTSTATUS Status;
-   PWSTR KeyBuffer;
   PWSTR Ptr;
   USHORT Length;
   USHORT TotalLength;
@ -1851,19 +1854,12 @@ IopActionInterrogateDeviceStack(PDEVICE_NODE DeviceNode,
   /*
    * Create registry key for the instance id, if it doesn't exist yet
    */
-   KeyBuffer = ExAllocatePool(
-      PagedPool,
-      (49 * sizeof(WCHAR)) + DeviceNode->InstancePath.Length);
-   wcscpy(KeyBuffer, L"\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\");
-   wcscat(KeyBuffer, DeviceNode->InstancePath.Buffer);
-   Status = IopCreateDeviceKeyPath(/*KeyBuffer*/&DeviceNode->InstancePath, &InstanceKey);
-   ExFreePool(KeyBuffer);
+   Status = IopCreateDeviceKeyPath(&DeviceNode->InstancePath, &InstanceKey);
   if (!NT_SUCCESS(Status))
   {
      DPRINT1("Failed to create the instance key! (Status %lx)\n", Status);
   }

-
   {
      /* Set 'Capabilities' value */
      RtlInitUnicodeString(&ValueName, L"Capabilities");