[NTOSKRNL] Fix out-of-bounds access (CID-1401083) and potencial memory leak in FsRtlIsNameInExpressionPrivate

This commit is contained in:
Timo Kreuzer 2017-10-22 14:56:52 +02:00
parent 561f18afea
commit 959d9c6201

View file

@ -26,6 +26,8 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
USHORT Offset, Position, BackTrackingPosition, OldBackTrackingPosition; USHORT Offset, Position, BackTrackingPosition, OldBackTrackingPosition;
USHORT BackTrackingBuffer[16], OldBackTrackingBuffer[16] = {0}; USHORT BackTrackingBuffer[16], OldBackTrackingBuffer[16] = {0};
PUSHORT BackTrackingSwap, BackTracking = BackTrackingBuffer, OldBackTracking = OldBackTrackingBuffer; PUSHORT BackTrackingSwap, BackTracking = BackTrackingBuffer, OldBackTracking = OldBackTrackingBuffer;
ULONG BackTrackingBufferSize = RTL_NUMBER_OF(BackTrackingBuffer);
PVOID AllocatedBuffer = NULL;
UNICODE_STRING IntExpression; UNICODE_STRING IntExpression;
USHORT ExpressionPosition, NamePosition = 0, MatchingChars = 1; USHORT ExpressionPosition, NamePosition = 0, MatchingChars = 1;
BOOLEAN EndOfName = FALSE; BOOLEAN EndOfName = FALSE;
@ -133,22 +135,40 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
} }
/* If buffer too small */ /* If buffer too small */
if (BackTrackingPosition > RTL_NUMBER_OF(BackTrackingBuffer) - 1) if (BackTrackingPosition > BackTrackingBufferSize - 2)
{ {
/* Allocate memory for BackTracking */ /* We should only ever get here once! */
BackTracking = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, ASSERT(AllocatedBuffer == NULL);
(Expression->Length + sizeof(WCHAR)) * sizeof(USHORT), ASSERT((BackTracking == BackTrackingBuffer) || (BackTracking == OldBackTrackingBuffer));
ASSERT((OldBackTracking == BackTrackingBuffer) || (OldBackTracking == OldBackTrackingBuffer));
/* Calculate buffer size */
BackTrackingBufferSize = (Expression->Length + 1) * 2;
/* Allocate memory for both back-tracking buffers */
AllocatedBuffer = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,
2 * BackTrackingBufferSize * sizeof(USHORT),
'nrSF'); 'nrSF');
/* Copy old buffer content */ if (AllocatedBuffer == NULL)
{
DPRINT1("Failed to allocate BackTracking buffer. BackTrackingBufferSize = =x%lx\n",
BackTrackingBufferSize);
Result = FALSE;
goto Exit;
}
/* Backtracking is at the start of the buffer */
BackTracking = AllocatedBuffer;
/* Copy BackTrackingBuffer content */
RtlCopyMemory(BackTracking, RtlCopyMemory(BackTracking,
BackTrackingBuffer, BackTrackingBuffer,
RTL_NUMBER_OF(BackTrackingBuffer) * sizeof(USHORT)); RTL_NUMBER_OF(BackTrackingBuffer) * sizeof(USHORT));
/* Allocate memory for OldBackTracking */ /* OldBackTracking is after BackTracking */
OldBackTracking = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, OldBackTracking = &BackTracking[BackTrackingBufferSize];
(Expression->Length + sizeof(WCHAR)) * sizeof(USHORT),
'nrSF'); /* Copy OldBackTrackingBuffer content */
/* Copy old buffer content */
RtlCopyMemory(OldBackTracking, RtlCopyMemory(OldBackTracking,
OldBackTrackingBuffer, OldBackTrackingBuffer,
RTL_NUMBER_OF(OldBackTrackingBuffer) * sizeof(USHORT)); RTL_NUMBER_OF(OldBackTrackingBuffer) * sizeof(USHORT));
@ -235,11 +255,13 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
/* Store result value */ /* Store result value */
Result = MatchingChars > 0 && (OldBackTracking[MatchingChars - 1] == (Expression->Length * 2)); Result = MatchingChars > 0 && (OldBackTracking[MatchingChars - 1] == (Expression->Length * 2));
Exit:
/* Frees the memory if necessary */ /* Frees the memory if necessary */
if (BackTracking != BackTrackingBuffer && BackTracking != OldBackTrackingBuffer) if (AllocatedBuffer != NULL)
ExFreePoolWithTag(BackTracking, 'nrSF'); {
if (OldBackTracking != BackTrackingBuffer && OldBackTracking != OldBackTrackingBuffer) ExFreePoolWithTag(AllocatedBuffer, 'nrSF');
ExFreePoolWithTag(OldBackTracking, 'nrSF'); }
return Result; return Result;
} }