Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-23 17:05:46 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS]

Browse source 
- A number of fixes to CmpQueryKeyName():
 * Properly check the provided buffer size against needed size.
 * Don't overwrite user provided buffer.
 * Write as much data as could fit into the buffer (this is normal behaviour for any query function in the kernel), returning STATUS_INFO_LENGTH_MISMATCH if not all data were written.

Thanks to r3ddr4g0n for identifying the problem, testing with DPH and testing this patch.

svn path=/trunk/; revision=54711
This commit is contained in:
Aleksey Bragin 2011-12-20 18:16:14 +00:00
parent f10a6e4cc9
commit 8fa9f7b979
1 changed files with 25 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
reactos/ntoskrnl/config/cmsysini.c
View file

@ -121,6 +121,7 @@ CmpQueryKeyName(IN PVOID ObjectBody,
IN KPROCESSOR_MODE PreviousMode) IN KPROCESSOR_MODE PreviousMode)
{ {
PUNICODE_STRING KeyName; PUNICODE_STRING KeyName;
ULONG BytesToCopy;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PCM_KEY_BODY KeyBody = (PCM_KEY_BODY)ObjectBody; PCM_KEY_BODY KeyBody = (PCM_KEY_BODY)ObjectBody;
PCM_KEY_CONTROL_BLOCK Kcb = KeyBody->KeyControlBlock; PCM_KEY_CONTROL_BLOCK Kcb = KeyBody->KeyControlBlock;
@ -155,17 +156,33 @@ CmpQueryKeyName(IN PVOID ObjectBody,
/* Set the returned length */ /* Set the returned length */
*ReturnLength = KeyName->Length + sizeof(OBJECT_NAME_INFORMATION) + sizeof(WCHAR); *ReturnLength = KeyName->Length + sizeof(OBJECT_NAME_INFORMATION) + sizeof(WCHAR);
/* Check if it fits into the provided buffer */ /* Calculate amount of bytes to copy into the buffer */
if ((Length < sizeof(OBJECT_NAME_INFORMATION)) || BytesToCopy = KeyName->Length + sizeof(WCHAR);
(Length < (*ReturnLength - sizeof(OBJECT_NAME_INFORMATION))))
/* Check if the provided buffer is too small to fit even anything */
if ((Length <= sizeof(OBJECT_NAME_INFORMATION)) ||
((Length < (*ReturnLength)) && (BytesToCopy < sizeof(WCHAR))))
{ {
/* Free the buffer allocated by CmpConstructName */ /* Free the buffer allocated by CmpConstructName */
ExFreePool(KeyName); ExFreePool(KeyName);
/* Return buffer length failure */ /* Return buffer length failure without writing anything there because nothing fits */
return STATUS_INFO_LENGTH_MISMATCH; return STATUS_INFO_LENGTH_MISMATCH;
} }
/* Check if the provided buffer can be partially written */
if (Length < (*ReturnLength))
{
/* Yes, indicate so in the return status */
Status = STATUS_INFO_LENGTH_MISMATCH;
/* Calculate amount of bytes which the provided buffer could handle */
BytesToCopy = Length - sizeof(OBJECT_NAME_INFORMATION);
}
/* Remove the null termination character from the size */
BytesToCopy -= sizeof(WCHAR);
/* Fill in the result */ /* Fill in the result */
_SEH2_TRY _SEH2_TRY
{ {
@ -177,7 +194,10 @@ CmpQueryKeyName(IN PVOID ObjectBody,
/* Copy string content*/ /* Copy string content*/
RtlCopyMemory(ObjectNameInfo->Name.Buffer, RtlCopyMemory(ObjectNameInfo->Name.Buffer,
KeyName->Buffer, KeyName->Buffer,
*ReturnLength); BytesToCopy);
/* Null terminate it */
ObjectNameInfo->Name.Buffer[BytesToCopy / sizeof(WCHAR)] = 0;
} }
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{ {