[NTOS:CM] Avoid a fixed-length stack buffer in CmpCmdHiveOpen. CORE-15882

This commit is contained in:
Thomas Faber 2019-04-17 09:37:37 +02:00
parent 26ab9f8a03
commit d570482bc7
No known key found for this signature in database
GPG key ID: 076E7C3D44720826

View file

@ -278,9 +278,8 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes,
NTSTATUS Status; NTSTATUS Status;
UNICODE_STRING FileName; UNICODE_STRING FileName;
PWCHAR FilePath; PWCHAR FilePath;
UCHAR Buffer[sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH * sizeof(WCHAR)]; ULONG Length;
ULONG Length = sizeof(Buffer); POBJECT_NAME_INFORMATION FileNameInfo;
POBJECT_NAME_INFORMATION FileNameInfo = (POBJECT_NAME_INFORMATION)Buffer;
PAGED_CODE(); PAGED_CODE();
@ -297,6 +296,27 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes,
return STATUS_OBJECT_PATH_SYNTAX_BAD; return STATUS_OBJECT_PATH_SYNTAX_BAD;
} }
/* Determine the right buffer size and allocate */
Status = ZwQueryObject(FileAttributes->RootDirectory,
ObjectNameInformation,
NULL,
0,
&Length);
if (Status != STATUS_BUFFER_TOO_SMALL)
{
DPRINT1("CmpCmdHiveOpen(): Root directory handle object name size query failed, Status = 0x%08lx\n", Status);
return Status;
}
FileNameInfo = ExAllocatePoolWithTag(PagedPool,
Length + sizeof(UNICODE_NULL),
TAG_CM);
if (FileNameInfo == NULL)
{
DPRINT1("CmpCmdHiveOpen(): Unable to allocate memory\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
/* Try to get the value */ /* Try to get the value */
Status = ZwQueryObject(FileAttributes->RootDirectory, Status = ZwQueryObject(FileAttributes->RootDirectory,
ObjectNameInformation, ObjectNameInformation,
@ -307,6 +327,7 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes,
{ {
/* Fail */ /* Fail */
DPRINT1("CmpCmdHiveOpen(): Root directory handle object name query failed, Status = 0x%08lx\n", Status); DPRINT1("CmpCmdHiveOpen(): Root directory handle object name query failed, Status = 0x%08lx\n", Status);
ExFreePoolWithTag(FileNameInfo, TAG_CM);
return Status; return Status;
} }
@ -321,6 +342,7 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes,
if (Length > MAXUSHORT) if (Length > MAXUSHORT)
{ {
/* Name size too long, bail out */ /* Name size too long, bail out */
ExFreePoolWithTag(FileNameInfo, TAG_CM);
return STATUS_OBJECT_PATH_INVALID; return STATUS_OBJECT_PATH_INVALID;
} }
@ -331,10 +353,12 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes,
{ {
/* Fail */ /* Fail */
DPRINT1("CmpCmdHiveOpen(): Unable to allocate memory\n"); DPRINT1("CmpCmdHiveOpen(): Unable to allocate memory\n");
ExFreePoolWithTag(FileNameInfo, TAG_CM);
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
} }
FileName.MaximumLength = Length; FileName.MaximumLength = Length;
RtlCopyUnicodeString(&FileName, &FileNameInfo->Name); RtlCopyUnicodeString(&FileName, &FileNameInfo->Name);
ExFreePoolWithTag(FileNameInfo, TAG_CM);
/* /*
* Append a path terminator if needed (we have already accounted * Append a path terminator if needed (we have already accounted