From 68348f909bcecf8b07c0e427a3ac96cc502cf987 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Fri, 10 Apr 2015 10:10:28 +0000
Subject: [PATCH] =?UTF-8?q?[NTOS:PNP]=20-=20Add=20missing=20SEH/Probe=20in?=
 =?UTF-8?q?=20NtGetPlugPlayEvent=20and=20IopGetInterfaceDeviceList,=20and?=
 =?UTF-8?q?=20correctly=20copy=20the=20interface=20list.=20Patch=20by=20St?=
 =?UTF-8?q?ephan=20R=C3=B6ger.=20CORE-9498=20#resolve?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

svn path=/trunk/; revision=67129
---
 reactos/ntoskrnl/io/pnpmgr/plugplay.c | 59 +++++++++++++++++++--------
 1 file changed, 41 insertions(+), 18 deletions(-)

diff --git a/reactos/ntoskrnl/io/pnpmgr/plugplay.c b/reactos/ntoskrnl/io/pnpmgr/plugplay.c
index 86f3f5f63a0..25791eb2049 100644
--- a/reactos/ntoskrnl/io/pnpmgr/plugplay.c
+++ b/reactos/ntoskrnl/io/pnpmgr/plugplay.c
@@ -214,22 +214,23 @@ static NTSTATUS
 IopGetInterfaceDeviceList(PPLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA DeviceList)
 {
     NTSTATUS Status;
+    PLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA StackList;
     UNICODE_STRING DeviceInstance;
     PDEVICE_OBJECT DeviceObject = NULL;
-    ULONG BufferSize = 0;
     GUID FilterGuid;
     PZZWSTR SymbolicLinkList = NULL, LinkList;
-    ULONG TotalLength = 0;
+    ULONG TotalLength;
 
     _SEH2_TRY
     {
-        ProbeForRead(DeviceList->FilterGuid, sizeof(GUID), sizeof(UCHAR));
-        RtlCopyMemory(&FilterGuid, DeviceList->FilterGuid, sizeof(GUID));
+        RtlCopyMemory(&StackList, DeviceList, sizeof(PLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA));
 
-        if (DeviceList->Buffer != NULL && DeviceList->BufferSize != 0)
+        ProbeForRead(StackList.FilterGuid, sizeof(GUID), sizeof(UCHAR));
+        RtlCopyMemory(&FilterGuid, StackList.FilterGuid, sizeof(GUID));
+
+        if (StackList.Buffer != NULL && StackList.BufferSize != 0)
         {
-            BufferSize = DeviceList->BufferSize;
-            ProbeForWrite(DeviceList->Buffer, BufferSize, sizeof(UCHAR));
+            ProbeForWrite(StackList.Buffer, StackList.BufferSize, sizeof(UCHAR));
         }
     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
@@ -238,8 +239,7 @@ IopGetInterfaceDeviceList(PPLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA DeviceLis
     }
     _SEH2_END;
 
-
-    Status = IopCaptureUnicodeString(&DeviceInstance, &DeviceList->DeviceInstance);
+    Status = IopCaptureUnicodeString(&DeviceInstance, &StackList.DeviceInstance);
     if (NT_SUCCESS(Status))
     {
         /* Get the device object */
@@ -247,7 +247,7 @@ IopGetInterfaceDeviceList(PPLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA DeviceLis
         ExFreePool(DeviceInstance.Buffer);
     }
 
-    Status = IoGetDeviceInterfaces(&FilterGuid, DeviceObject, DeviceList->Flags, &SymbolicLinkList);
+    Status = IoGetDeviceInterfaces(&FilterGuid, DeviceObject, StackList.Flags, &SymbolicLinkList);
     ObDereferenceObject(DeviceObject);
 
     if (!NT_SUCCESS(Status))
@@ -259,16 +259,28 @@ IopGetInterfaceDeviceList(PPLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA DeviceLis
     LinkList = SymbolicLinkList;
     while (*SymbolicLinkList != UNICODE_NULL)
     {
-        TotalLength += (wcslen(SymbolicLinkList) + 1) * sizeof(WCHAR);
         SymbolicLinkList += wcslen(SymbolicLinkList) + (sizeof(UNICODE_NULL) / sizeof(WCHAR));
     }
-    TotalLength += sizeof(UNICODE_NULL);
+    TotalLength = ((SymbolicLinkList - LinkList + 1) * sizeof(WCHAR));
 
-    if (BufferSize >= TotalLength)
+    _SEH2_TRY
     {
-        RtlCopyMemory(DeviceList->Buffer, SymbolicLinkList, TotalLength * sizeof(WCHAR));
+        if (StackList.Buffer != NULL &&
+            StackList.BufferSize >= TotalLength)
+        {
+            // We've already probed the buffer for writing above.
+            RtlCopyMemory(StackList.Buffer, LinkList, TotalLength);
+        }
+
+        DeviceList->BufferSize = TotalLength;
     }
-    DeviceList->BufferSize = TotalLength;
+    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+    {
+        ExFreePool(LinkList);
+        _SEH2_YIELD(return _SEH2_GetExceptionCode());
+    }
+    _SEH2_END;
+
     ExFreePool(LinkList);
     return STATUS_SUCCESS;
 }
@@ -831,9 +843,20 @@ NtGetPlugPlayEvent(IN ULONG Reserved1,
     }
 
     /* Copy event data to the user buffer */
-    memcpy(Buffer,
-           &Entry->Event,
-           Entry->Event.TotalSize);
+    _SEH2_TRY
+    {
+        ProbeForWrite(Buffer,
+                      Entry->Event.TotalSize,
+                      sizeof(UCHAR));
+        RtlCopyMemory(Buffer,
+                      &Entry->Event,
+                      Entry->Event.TotalSize);
+    }
+    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+    {
+        _SEH2_YIELD(return _SEH2_GetExceptionCode());
+    }
+    _SEH2_END;
 
     DPRINT("NtGetPlugPlayEvent() done\n");