hpoussin@svn.reactos.com wrote:

Don't always return STATUS_BUFFER_TOO_SMALL when an error occurs in ZwQueryValueKey. The "if" was triggered because ValueInformation->DataLength is 0xcdcdcdcd at the return of the function

But that means that the memory was freed during the failure, so now the ExFreePool will run into a double-free!

Modified: trunk/reactos/ntoskrnl/io/pnpmgr.c

---

*Modified: trunk/reactos/ntoskrnl/io/pnpmgr.c*

--- trunk/reactos/ntoskrnl/io/pnpmgr.c 2005-10-14 13:00:18 UTC (rev 18441) +++ trunk/reactos/ntoskrnl/io/pnpmgr.c 2005-10-14 13:04:11 UTC (rev 18442) @@ -322,15 +322,18 @@

    *ResultLength = ValueInformation->DataLength;
    ZwClose(KeyHandle);

•    if (ValueInformation->DataLength > BufferLength)
  

•      Status = STATUS_BUFFER_TOO_SMALL;
  

•   if (!NT_SUCCESS(Status))
    {
      ExFreePool(ValueInformation);
      return Status;
    }
  
  
  
  

•    if (ValueInformation->DataLength > BufferLength)
  

•    {
  

•      ExFreePool(ValueInformation);
  

•      return STATUS_BUFFER_TOO_SMALL;
  

•    }
  

•   /* FIXME: Verify the value (NULL-terminated, correct format). */
  
    RtlCopyMemory(PropertyBuffer, ValueInformation->Data,
  
  
  

Please check this out in more detail...

Best regards, Alex Ionescu