[NTOS:PNP] Avoid a fixed-length stack buffer in IopActionConfigureChildServices. CORE-15882

2025-05-29 22:18:13 +00:00 · 2019-03-24 15:04:37 +01:00 · 2019-03-24 15:04:37 +01:00 · ccb91bebbe
commit ccb91bebbe
parent e1b20681f5
1 changed files with 14 additions and 6 deletions
--- a/ntoskrnl/io/pnpmgr/pnpmgr.c
+++ b/ntoskrnl/io/pnpmgr/pnpmgr.c
@ -2854,16 +2854,11 @@ IopActionConfigureChildServices(PDEVICE_NODE DeviceNode,

   if (!(DeviceNode->Flags & (DNF_DISABLED | DNF_STARTED | DNF_ADDED)))
   {
-      WCHAR RegKeyBuffer[MAX_PATH];
      UNICODE_STRING RegKey;

      /* Install the service for this if it's in the CDDB */
      IopInstallCriticalDevice(DeviceNode);

-      RegKey.Length = 0;
-      RegKey.MaximumLength = sizeof(RegKeyBuffer);
-      RegKey.Buffer = RegKeyBuffer;
-
      /*
       * Retrieve configuration from Enum key
       */
@ -2885,11 +2880,24 @@ IopActionConfigureChildServices(PDEVICE_NODE DeviceNode,
      QueryTable[1].DefaultData = L"";
      QueryTable[1].DefaultLength = 0;

-      RtlAppendUnicodeToString(&RegKey, L"\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\");
+      RegKey.Length = 0;
+      RegKey.MaximumLength = sizeof(ENUM_ROOT) + sizeof(WCHAR) + DeviceNode->InstancePath.Length;
+      RegKey.Buffer = ExAllocatePoolWithTag(PagedPool,
+                                            RegKey.MaximumLength,
+                                            TAG_IO);
+      if (RegKey.Buffer == NULL)
+      {
+          IopDeviceNodeSetFlag(DeviceNode, DNF_DISABLED);
+          return STATUS_INSUFFICIENT_RESOURCES;
+      }
+
+      RtlAppendUnicodeToString(&RegKey, ENUM_ROOT);
+      RtlAppendUnicodeToString(&RegKey, L"\\");
      RtlAppendUnicodeStringToString(&RegKey, &DeviceNode->InstancePath);

      Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE,
         RegKey.Buffer, QueryTable, NULL, NULL);
+      ExFreePoolWithTag(RegKey.Buffer, TAG_IO);

      if (!NT_SUCCESS(Status))
      {