From b00db8b8a611e2bc75ab39cea772ff473bdd1a90 Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Fri, 18 Jun 2010 21:57:07 +0000
Subject: [PATCH] [NTOSKRNL] - Fix a string termination bug in the device
 interface code - Thanks to janderwald for spotting the bug

svn path=/trunk/; revision=47801
---
 reactos/ntoskrnl/io/iomgr/deviface.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/reactos/ntoskrnl/io/iomgr/deviface.c b/reactos/ntoskrnl/io/iomgr/deviface.c
index a9b5e475705..dcc086eb659 100644
--- a/reactos/ntoskrnl/io/iomgr/deviface.c
+++ b/reactos/ntoskrnl/io/iomgr/deviface.c
@@ -105,18 +105,20 @@ OpenRegistryHandlesFromSymbolicLink(IN PUNICODE_STRING SymbolicLinkName,
         goto cleanup;
     }
 
-    SubKeyName.Buffer = ExAllocatePool(PagedPool, SymbolicLinkName->Length);
+    SubKeyName.MaximumLength = SymbolicLinkName->Length + sizeof(WCHAR);
+    SubKeyName.Length = 0;
+    SubKeyName.Buffer = ExAllocatePool(PagedPool, SubKeyName.MaximumLength);
     if (!SubKeyName.Buffer)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
         goto cleanup;
     }
-    SubKeyName.MaximumLength = SymbolicLinkName->Length;
-    SubKeyName.Length = 0;
 
     RtlAppendUnicodeStringToString(&SubKeyName,
                                    SymbolicLinkName);
 
+    SubKeyName.Buffer[SubKeyName.Length / sizeof(WCHAR)] = UNICODE_NULL;
+
     SubKeyName.Buffer[0] = L'#';
     SubKeyName.Buffer[1] = L'#';
     SubKeyName.Buffer[2] = L'?';