From b21b8741c30911ddc39c43af0058d4ff70ee85e9 Mon Sep 17 00:00:00 2001 From: Cameron Gutman Date: Sun, 8 Jan 2012 06:51:44 +0000 Subject: [PATCH] [NDISUIO] - Fix a query binding bug that caused access to unallocated memory [WLANCONF] - Fix parameter parsing and dumb IOCTL_NDISUIO_QUERY_BINDING usage svn path=/branches/wlan-bringup/; revision=54877 --- base/applications/network/wlanconf/wlanconf.c | 84 ++++++++++--------- drivers/network/ndisuio/ioctl.c | 8 +- 2 files changed, 50 insertions(+), 42 deletions(-) diff --git a/base/applications/network/wlanconf/wlanconf.c b/base/applications/network/wlanconf/wlanconf.c index 9a4642c1be0..5b265da23eb 100644 --- a/base/applications/network/wlanconf/wlanconf.c +++ b/base/applications/network/wlanconf/wlanconf.c @@ -132,21 +132,16 @@ OpenAdapterHandle(DWORD Index) return INVALID_HANDLE_VALUE; } - /* Query for bindable adapters */ - QueryBinding->BindingIndex = 0; - do { - bSuccess = DeviceIoControl(hDriver, - IOCTL_NDISUIO_QUERY_BINDING, - QueryBinding, - QueryBindingSize, - QueryBinding, - QueryBindingSize, - &dwBytesReturned, - NULL); - if (QueryBinding->BindingIndex == Index) - break; - QueryBinding->BindingIndex++; - } while (bSuccess); + /* Query the adapter binding information */ + QueryBinding->BindingIndex = Index; + bSuccess = DeviceIoControl(hDriver, + IOCTL_NDISUIO_QUERY_BINDING, + QueryBinding, + QueryBindingSize, + QueryBinding, + QueryBindingSize, + &dwBytesReturned, + NULL); if (!bSuccess) { @@ -540,35 +535,46 @@ BOOL ParseCmdline(int argc, char* argv[]) for (i = 1; i < argc; i++) { - if ((argc > 1) && (argv[i][0] == '-')) + if (argv[i][0] == '-') { - TCHAR c; - - while ((c = *++argv[i]) != '\0') + switch (argv[i][1]) { - switch (c) - { - case 's': - bScan = TRUE; - break; - case 'd': - bDisconnect = TRUE; - break; - case 'c': - bConnect = TRUE; - sSsid = argv[++i]; - break; - case 'w': - sWepKey = argv[++i]; - break; - case 'a': - bAdhoc = TRUE; - break; - default : + case 's': + bScan = TRUE; + break; + case 'd': + bDisconnect = TRUE; + break; + case 'c': + if (i == argc - 1) + { Usage(); return FALSE; - } + } + bConnect = TRUE; + sSsid = argv[++i]; + break; + case 'w': + if (i == argc - 1) + { + Usage(); + return FALSE; + } + sWepKey = argv[++i]; + break; + case 'a': + bAdhoc = TRUE; + break; + default : + Usage(); + return FALSE; } + + } + else + { + Usage(); + return FALSE; } } diff --git a/drivers/network/ndisuio/ioctl.c b/drivers/network/ndisuio/ioctl.c index c76c5e9f497..774c20d7694 100644 --- a/drivers/network/ndisuio/ioctl.c +++ b/drivers/network/ndisuio/ioctl.c @@ -33,7 +33,7 @@ static NTSTATUS QueryBinding(PIRP Irp, PIO_STACK_LOCATION IrpSp) { - PNDISUIO_ADAPTER_CONTEXT AdapterContext; + PNDISUIO_ADAPTER_CONTEXT AdapterContext = NULL; PNDISUIO_QUERY_BINDING QueryBinding = Irp->AssociatedIrp.SystemBuffer; ULONG BindingLength = IrpSp->Parameters.DeviceIoControl.InputBufferLength; NTSTATUS Status; @@ -50,14 +50,16 @@ QueryBinding(PIRP Irp, PIO_STACK_LOCATION IrpSp) while (CurrentEntry != &GlobalAdapterList) { if (i == QueryBinding->BindingIndex) + { + AdapterContext = CONTAINING_RECORD(CurrentEntry, NDISUIO_ADAPTER_CONTEXT, ListEntry); break; + } i++; CurrentEntry = CurrentEntry->Flink; } KeReleaseSpinLock(&GlobalAdapterListLock, OldIrql); - if (i == QueryBinding->BindingIndex) + if (AdapterContext) { - AdapterContext = CONTAINING_RECORD(CurrentEntry, NDISUIO_ADAPTER_CONTEXT, ListEntry); DPRINT("Query binding for index %d is adapter %wZ\n", i, &AdapterContext->DeviceName); BytesCopied = sizeof(NDISUIO_QUERY_BINDING); if (AdapterContext->DeviceName.Length <= BindingLength - BytesCopied)