mirror of
https://github.com/reactos/reactos.git
synced 2024-07-01 02:10:07 +00:00
[NDISUIO]
- Fix a query binding bug that caused access to unallocated memory [WLANCONF] - Fix parameter parsing and dumb IOCTL_NDISUIO_QUERY_BINDING usage svn path=/branches/wlan-bringup/; revision=54877
This commit is contained in:
Cameron Gutman
parent
1df989ccab
commit
b21b8741c3
|
|
@ -132,21 +132,16 @@ OpenAdapterHandle(DWORD Index)
|
|||
return INVALID_HANDLE_VALUE;
|
||||
}
|
||||
|
||||
/* Query for bindable adapters */
|
||||
QueryBinding->BindingIndex = 0;
|
||||
do {
|
||||
bSuccess = DeviceIoControl(hDriver,
|
||||
IOCTL_NDISUIO_QUERY_BINDING,
|
||||
QueryBinding,
|
||||
QueryBindingSize,
|
||||
QueryBinding,
|
||||
QueryBindingSize,
|
||||
&dwBytesReturned,
|
||||
NULL);
|
||||
if (QueryBinding->BindingIndex == Index)
|
||||
break;
|
||||
QueryBinding->BindingIndex++;
|
||||
} while (bSuccess);
|
||||
/* Query the adapter binding information */
|
||||
QueryBinding->BindingIndex = Index;
|
||||
bSuccess = DeviceIoControl(hDriver,
|
||||
IOCTL_NDISUIO_QUERY_BINDING,
|
||||
QueryBinding,
|
||||
QueryBindingSize,
|
||||
QueryBinding,
|
||||
QueryBindingSize,
|
||||
&dwBytesReturned,
|
||||
NULL);
|
||||
|
||||
if (!bSuccess)
|
||||
{
|
||||
|
|
@ -540,35 +535,46 @@ BOOL ParseCmdline(int argc, char* argv[])
|
|||
|
||||
for (i = 1; i < argc; i++)
|
||||
{
|
||||
if ((argc > 1) && (argv[i][0] == '-'))
|
||||
if (argv[i][0] == '-')
|
||||
{
|
||||
TCHAR c;
|
||||
|
||||
while ((c = *++argv[i]) != '\0')
|
||||
switch (argv[i][1])
|
||||
{
|
||||
switch (c)
|
||||
{
|
||||
case 's':
|
||||
bScan = TRUE;
|
||||
break;
|
||||
case 'd':
|
||||
bDisconnect = TRUE;
|
||||
break;
|
||||
case 'c':
|
||||
bConnect = TRUE;
|
||||
sSsid = argv[++i];
|
||||
break;
|
||||
case 'w':
|
||||
sWepKey = argv[++i];
|
||||
break;
|
||||
case 'a':
|
||||
bAdhoc = TRUE;
|
||||
break;
|
||||
default :
|
||||
case 's':
|
||||
bScan = TRUE;
|
||||
break;
|
||||
case 'd':
|
||||
bDisconnect = TRUE;
|
||||
break;
|
||||
case 'c':
|
||||
if (i == argc - 1)
|
||||
{
|
||||
Usage();
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
bConnect = TRUE;
|
||||
sSsid = argv[++i];
|
||||
break;
|
||||
case 'w':
|
||||
if (i == argc - 1)
|
||||
{
|
||||
Usage();
|
||||
return FALSE;
|
||||
}
|
||||
sWepKey = argv[++i];
|
||||
break;
|
||||
case 'a':
|
||||
bAdhoc = TRUE;
|
||||
break;
|
||||
default :
|
||||
Usage();
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
Usage();
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ static
|
|||
NTSTATUS
|
||||
QueryBinding(PIRP Irp, PIO_STACK_LOCATION IrpSp)
|
||||
{
|
||||
PNDISUIO_ADAPTER_CONTEXT AdapterContext;
|
||||
PNDISUIO_ADAPTER_CONTEXT AdapterContext = NULL;
|
||||
PNDISUIO_QUERY_BINDING QueryBinding = Irp->AssociatedIrp.SystemBuffer;
|
||||
ULONG BindingLength = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
|
||||
NTSTATUS Status;
|
||||
|
|
@ -50,14 +50,16 @@ QueryBinding(PIRP Irp, PIO_STACK_LOCATION IrpSp)
|
|||
while (CurrentEntry != &GlobalAdapterList)
|
||||
{
|
||||
if (i == QueryBinding->BindingIndex)
|
||||
{
|
||||
AdapterContext = CONTAINING_RECORD(CurrentEntry, NDISUIO_ADAPTER_CONTEXT, ListEntry);
|
||||
break;
|
||||
}
|
||||
i++;
|
||||
CurrentEntry = CurrentEntry->Flink;
|
||||
}
|
||||
KeReleaseSpinLock(&GlobalAdapterListLock, OldIrql);
|
||||
if (i == QueryBinding->BindingIndex)
|
||||
if (AdapterContext)
|
||||
{
|
||||
AdapterContext = CONTAINING_RECORD(CurrentEntry, NDISUIO_ADAPTER_CONTEXT, ListEntry);
|
||||
DPRINT("Query binding for index %d is adapter %wZ\n", i, &AdapterContext->DeviceName);
|
||||
BytesCopied = sizeof(NDISUIO_QUERY_BINDING);
|
||||
if (AdapterContext->DeviceName.Length <= BindingLength - BytesCopied)
|
||||
|
|
|
|||
Loading…
Reference in a new issue