Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 09:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NTOS:IO] Avoid a fixed-length buffer in IopGetDriverObject. CORE-15882

Browse source
This commit is contained in:
Thomas Faber 2019-03-24 14:47:59 +01:00
parent 6fdff1f970
commit e1b20681f5
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
1 changed files with 14 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
ntoskrnl/io/iomgr/driver.c
View file

@ -108,7 +108,7 @@ IopGetDriverObject(
BOOLEAN FileSystem)
{
PDRIVER_OBJECT Object;
WCHAR NameBuffer[MAX_PATH];
UNICODE_STRING Prefix;
UNICODE_STRING DriverName;
NTSTATUS Status;
@ -123,14 +123,20 @@ IopGetDriverObject(
/* We don't know which DriverObject we have to open */
return STATUS_INVALID_PARAMETER_2;
DriverName.Buffer = NameBuffer;
DriverName.Length = 0;
DriverName.MaximumLength = sizeof(NameBuffer);
if (FileSystem != FALSE)
RtlAppendUnicodeToString(&DriverName, FILESYSTEM_ROOT_NAME);
RtlInitUnicodeString(&Prefix, FILESYSTEM_ROOT_NAME);
else
RtlAppendUnicodeToString(&DriverName, DRIVER_ROOT_NAME);
RtlInitUnicodeString(&Prefix, DRIVER_ROOT_NAME);
DriverName.Length = 0;
DriverName.MaximumLength = Prefix.Length + ServiceName->Length + sizeof(UNICODE_NULL);
ASSERT(DriverName.MaximumLength > ServiceName->Length);
DriverName.Buffer = ExAllocatePoolWithTag(PagedPool, DriverName.MaximumLength, TAG_IO);
if (DriverName.Buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlAppendUnicodeStringToString(&DriverName, &Prefix);
RtlAppendUnicodeStringToString(&DriverName, ServiceName);
DPRINT("Driver name: '%wZ'\n", &DriverName);
@ -144,6 +150,7 @@ IopGetDriverObject(
KernelMode,
NULL, /* ParseContext */
(PVOID*)&Object);
ExFreePoolWithTag(DriverName.Buffer, TAG_IO);
if (!NT_SUCCESS(Status))
{
DPRINT("Failed to reference driver object, status=0x%08x\n", Status);