Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-28 18:15:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTFS] Fix use after free in failure case of NtfsMountVolume.

Browse source 
NtfsGetVolumeData frees FileRecLookasideList in case of failure, so don't
free it again.
Dereferencing NewDeviceObject invalidates Vcb.
This commit is contained in:
Thomas Faber 2020-01-11 14:08:20 +01:00
parent 88f7be101a
commit bd7121862a
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
drivers/filesystems/ntfs/fsctl.c
View file

@ -452,8 +452,6 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
if (!NT_SUCCESS(Status))
goto ByeBye;
Lookaside = TRUE;
NewDeviceObject->Flags |= DO_DIRECT_IO;
Vcb = (PVOID)NewDeviceObject->DeviceExtension;
RtlZeroMemory(Vcb, sizeof(NTFS_VCB));
@ -466,6 +464,8 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
if (!NT_SUCCESS(Status))
goto ByeBye;
Lookaside = TRUE;
NewDeviceObject->Vpb = DeviceToMount->Vpb;
Vcb->StorageDevice = DeviceToMount;
@ -564,11 +564,11 @@ ByeBye:
if (Ccb)
ExFreePool(Ccb);
if (NewDeviceObject)
IoDeleteDevice(NewDeviceObject);
if (Lookaside)
ExDeleteNPagedLookasideList(&Vcb->FileRecLookasideList);
if (NewDeviceObject)
IoDeleteDevice(NewDeviceObject);
}
DPRINT("NtfsMountVolume() done (Status: %lx)\n", Status);