https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ccb91bebbe1c44fb160165...
commit ccb91bebbe1c44fb160165c6e717a56289d3ab5c Author: Thomas Faber thomas.faber@reactos.org AuthorDate: Sun Mar 24 15:04:37 2019 +0100 Commit: Thomas Faber thomas.faber@reactos.org CommitDate: Sun May 5 10:39:07 2019 +0200
[NTOS:PNP] Avoid a fixed-length stack buffer in IopActionConfigureChildServices. CORE-15882 --- ntoskrnl/io/pnpmgr/pnpmgr.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/ntoskrnl/io/pnpmgr/pnpmgr.c b/ntoskrnl/io/pnpmgr/pnpmgr.c index 1362a89f03..b4f59f4d17 100644 --- a/ntoskrnl/io/pnpmgr/pnpmgr.c +++ b/ntoskrnl/io/pnpmgr/pnpmgr.c @@ -2854,16 +2854,11 @@ IopActionConfigureChildServices(PDEVICE_NODE DeviceNode,
if (!(DeviceNode->Flags & (DNF_DISABLED | DNF_STARTED | DNF_ADDED))) { - WCHAR RegKeyBuffer[MAX_PATH]; UNICODE_STRING RegKey;
/* Install the service for this if it's in the CDDB */ IopInstallCriticalDevice(DeviceNode);
- RegKey.Length = 0; - RegKey.MaximumLength = sizeof(RegKeyBuffer); - RegKey.Buffer = RegKeyBuffer; - /* * Retrieve configuration from Enum key */ @@ -2885,11 +2880,24 @@ IopActionConfigureChildServices(PDEVICE_NODE DeviceNode, QueryTable[1].DefaultData = L""; QueryTable[1].DefaultLength = 0;
- RtlAppendUnicodeToString(&RegKey, L"\Registry\Machine\System\CurrentControlSet\Enum\"); + RegKey.Length = 0; + RegKey.MaximumLength = sizeof(ENUM_ROOT) + sizeof(WCHAR) + DeviceNode->InstancePath.Length; + RegKey.Buffer = ExAllocatePoolWithTag(PagedPool, + RegKey.MaximumLength, + TAG_IO); + if (RegKey.Buffer == NULL) + { + IopDeviceNodeSetFlag(DeviceNode, DNF_DISABLED); + return STATUS_INSUFFICIENT_RESOURCES; + } + + RtlAppendUnicodeToString(&RegKey, ENUM_ROOT); + RtlAppendUnicodeToString(&RegKey, L"\"); RtlAppendUnicodeStringToString(&RegKey, &DeviceNode->InstancePath);
Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, RegKey.Buffer, QueryTable, NULL, NULL); + ExFreePoolWithTag(RegKey.Buffer, TAG_IO);
if (!NT_SUCCESS(Status)) {