mirror of
https://github.com/reactos/reactos.git
synced 2024-12-31 19:42:51 +00:00
[NTOSKRNL] Fix out-of-bounds access (CID-1401083) and potencial memory leak in FsRtlIsNameInExpressionPrivate
This commit is contained in:
parent
561f18afea
commit
959d9c6201
1 changed files with 37 additions and 15 deletions
|
@ -26,6 +26,8 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
|
||||||
USHORT Offset, Position, BackTrackingPosition, OldBackTrackingPosition;
|
USHORT Offset, Position, BackTrackingPosition, OldBackTrackingPosition;
|
||||||
USHORT BackTrackingBuffer[16], OldBackTrackingBuffer[16] = {0};
|
USHORT BackTrackingBuffer[16], OldBackTrackingBuffer[16] = {0};
|
||||||
PUSHORT BackTrackingSwap, BackTracking = BackTrackingBuffer, OldBackTracking = OldBackTrackingBuffer;
|
PUSHORT BackTrackingSwap, BackTracking = BackTrackingBuffer, OldBackTracking = OldBackTrackingBuffer;
|
||||||
|
ULONG BackTrackingBufferSize = RTL_NUMBER_OF(BackTrackingBuffer);
|
||||||
|
PVOID AllocatedBuffer = NULL;
|
||||||
UNICODE_STRING IntExpression;
|
UNICODE_STRING IntExpression;
|
||||||
USHORT ExpressionPosition, NamePosition = 0, MatchingChars = 1;
|
USHORT ExpressionPosition, NamePosition = 0, MatchingChars = 1;
|
||||||
BOOLEAN EndOfName = FALSE;
|
BOOLEAN EndOfName = FALSE;
|
||||||
|
@ -133,22 +135,40 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* If buffer too small */
|
/* If buffer too small */
|
||||||
if (BackTrackingPosition > RTL_NUMBER_OF(BackTrackingBuffer) - 1)
|
if (BackTrackingPosition > BackTrackingBufferSize - 2)
|
||||||
{
|
{
|
||||||
/* Allocate memory for BackTracking */
|
/* We should only ever get here once! */
|
||||||
BackTracking = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,
|
ASSERT(AllocatedBuffer == NULL);
|
||||||
(Expression->Length + sizeof(WCHAR)) * sizeof(USHORT),
|
ASSERT((BackTracking == BackTrackingBuffer) || (BackTracking == OldBackTrackingBuffer));
|
||||||
|
ASSERT((OldBackTracking == BackTrackingBuffer) || (OldBackTracking == OldBackTrackingBuffer));
|
||||||
|
|
||||||
|
/* Calculate buffer size */
|
||||||
|
BackTrackingBufferSize = (Expression->Length + 1) * 2;
|
||||||
|
|
||||||
|
/* Allocate memory for both back-tracking buffers */
|
||||||
|
AllocatedBuffer = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,
|
||||||
|
2 * BackTrackingBufferSize * sizeof(USHORT),
|
||||||
'nrSF');
|
'nrSF');
|
||||||
/* Copy old buffer content */
|
if (AllocatedBuffer == NULL)
|
||||||
|
{
|
||||||
|
DPRINT1("Failed to allocate BackTracking buffer. BackTrackingBufferSize = =x%lx\n",
|
||||||
|
BackTrackingBufferSize);
|
||||||
|
Result = FALSE;
|
||||||
|
goto Exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Backtracking is at the start of the buffer */
|
||||||
|
BackTracking = AllocatedBuffer;
|
||||||
|
|
||||||
|
/* Copy BackTrackingBuffer content */
|
||||||
RtlCopyMemory(BackTracking,
|
RtlCopyMemory(BackTracking,
|
||||||
BackTrackingBuffer,
|
BackTrackingBuffer,
|
||||||
RTL_NUMBER_OF(BackTrackingBuffer) * sizeof(USHORT));
|
RTL_NUMBER_OF(BackTrackingBuffer) * sizeof(USHORT));
|
||||||
|
|
||||||
/* Allocate memory for OldBackTracking */
|
/* OldBackTracking is after BackTracking */
|
||||||
OldBackTracking = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,
|
OldBackTracking = &BackTracking[BackTrackingBufferSize];
|
||||||
(Expression->Length + sizeof(WCHAR)) * sizeof(USHORT),
|
|
||||||
'nrSF');
|
/* Copy OldBackTrackingBuffer content */
|
||||||
/* Copy old buffer content */
|
|
||||||
RtlCopyMemory(OldBackTracking,
|
RtlCopyMemory(OldBackTracking,
|
||||||
OldBackTrackingBuffer,
|
OldBackTrackingBuffer,
|
||||||
RTL_NUMBER_OF(OldBackTrackingBuffer) * sizeof(USHORT));
|
RTL_NUMBER_OF(OldBackTrackingBuffer) * sizeof(USHORT));
|
||||||
|
@ -235,11 +255,13 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
|
||||||
/* Store result value */
|
/* Store result value */
|
||||||
Result = MatchingChars > 0 && (OldBackTracking[MatchingChars - 1] == (Expression->Length * 2));
|
Result = MatchingChars > 0 && (OldBackTracking[MatchingChars - 1] == (Expression->Length * 2));
|
||||||
|
|
||||||
|
Exit:
|
||||||
|
|
||||||
/* Frees the memory if necessary */
|
/* Frees the memory if necessary */
|
||||||
if (BackTracking != BackTrackingBuffer && BackTracking != OldBackTrackingBuffer)
|
if (AllocatedBuffer != NULL)
|
||||||
ExFreePoolWithTag(BackTracking, 'nrSF');
|
{
|
||||||
if (OldBackTracking != BackTrackingBuffer && OldBackTracking != OldBackTrackingBuffer)
|
ExFreePoolWithTag(AllocatedBuffer, 'nrSF');
|
||||||
ExFreePoolWithTag(OldBackTracking, 'nrSF');
|
}
|
||||||
|
|
||||||
return Result;
|
return Result;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue