Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-06-10 04:14:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

Patch from w3seek: patch to fix a couple of argument probing bugs in NtQuerySymbolicLinkObject and NtCreateSymbolicLinkObject:

Browse source 
svn path=/trunk/; revision=22008
This commit is contained in:
Magnus Olsen 2006-05-24 14:41:53 +00:00
parent fbb73a8f5e
commit 80770b053a
1 changed files with 8 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

19
reactos/ntoskrnl/ob/symlink.c
View file

@ -236,8 +236,7 @@ NtCreateSymbolicLinkObject(OUT PHANDLE LinkHandle,
_SEH_TRY _SEH_TRY
{ {
/* Probe the target */ /* Probe the target */
ProbeForRead(LinkTarget, sizeof(UNICODE_STRING), sizeof(WCHAR)); CapturedLinkTarget = ProbeForReadUnicodeString(LinkTarget);
CapturedLinkTarget = *LinkTarget;
ProbeForRead(CapturedLinkTarget.Buffer, ProbeForRead(CapturedLinkTarget.Buffer,
CapturedLinkTarget.MaximumLength, CapturedLinkTarget.MaximumLength,
sizeof(WCHAR)); sizeof(WCHAR));
@ -329,7 +328,7 @@ NtCreateSymbolicLinkObject(OUT PHANDLE LinkHandle,
/* Return the handle to caller */ /* Return the handle to caller */
*LinkHandle = hLink; *LinkHandle = hLink;
} }
_SEH_HANDLE _SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{ {
/* Get exception code */ /* Get exception code */
Status = _SEH_GetExceptionCode(); Status = _SEH_GetExceptionCode();
@ -410,7 +409,7 @@ NtOpenSymbolicLinkObject(OUT PHANDLE LinkHandle,
/* Return the handle to caller */ /* Return the handle to caller */
*LinkHandle = hLink; *LinkHandle = hLink;
} }
_SEH_HANDLE _SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{ {
/* Get exception code */ /* Get exception code */
Status = _SEH_GetExceptionCode(); Status = _SEH_GetExceptionCode();
@ -448,7 +447,7 @@ NtQuerySymbolicLinkObject(IN HANDLE LinkHandle,
OUT PUNICODE_STRING LinkTarget, OUT PUNICODE_STRING LinkTarget,
OUT PULONG ResultLength OPTIONAL) OUT PULONG ResultLength OPTIONAL)
{ {
UNICODE_STRING SafeLinkTarget; UNICODE_STRING SafeLinkTarget = {0};
POBJECT_SYMBOLIC_LINK SymlinkObject; POBJECT_SYMBOLIC_LINK SymlinkObject;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
@ -460,15 +459,13 @@ NtQuerySymbolicLinkObject(IN HANDLE LinkHandle,
_SEH_TRY _SEH_TRY
{ {
/* Probe the unicode string for read and write */ /* Probe the unicode string for read and write */
ProbeForRead(LinkTarget, sizeof(UNICODE_STRING), sizeof(WCHAR)); ProbeForWriteUnicodeString(LinkTarget);
ProbeForWriteUshort(&LinkTarget->Length);
ProbeForWriteUshort(&LinkTarget->MaximumLength);
/* Probe the unicode string's buffer for write */ /* Probe the unicode string's buffer for write */
SafeLinkTarget = *LinkTarget; SafeLinkTarget = *LinkTarget;
ProbeForWrite(SafeLinkTarget.Buffer, ProbeForWrite(SafeLinkTarget.Buffer,
SafeLinkTarget.MaximumLength, SafeLinkTarget.MaximumLength,
sizeof(CHAR)); sizeof(WCHAR));
/* Probe the return length */ /* Probe the return length */
if(ResultLength) ProbeForWriteUlong(ResultLength); if(ResultLength) ProbeForWriteUlong(ResultLength);
@ -517,7 +514,7 @@ NtQuerySymbolicLinkObject(IN HANDLE LinkHandle,
if (LengthUsed <= SafeLinkTarget.MaximumLength) if (LengthUsed <= SafeLinkTarget.MaximumLength)
{ {
/* Copy the buffer */ /* Copy the buffer */
RtlMoveMemory(SafeLinkTarget.Buffer, RtlCopyMemory(SafeLinkTarget.Buffer,
SymlinkObject->LinkTarget.Buffer, SymlinkObject->LinkTarget.Buffer,
LengthUsed); LengthUsed);
@ -537,7 +534,7 @@ NtQuerySymbolicLinkObject(IN HANDLE LinkHandle,
*ResultLength = SymlinkObject->LinkTarget.MaximumLength; *ResultLength = SymlinkObject->LinkTarget.MaximumLength;
} }
} }
_SEH_HANDLE _SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{ {
/* Get the error code */ /* Get the error code */
Status = _SEH_GetExceptionCode(); Status = _SEH_GetExceptionCode();