Author: tkreuzer Date: Wed Jan 25 16:45:42 2012 New Revision: 55173
URL: http://svn.reactos.org/svn/reactos?rev=55173&view=rev Log: [FREELDR] Fix wrong buffer size calculation that could lead to memory corruption Kudos go to Jardar for debugging the issue.
Modified: trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c
Modified: trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/boot/freeldr/freeldr/arch/i... ============================================================================== --- trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c [iso-8859-1] (original) +++ trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c [iso-8859-1] Wed Jan 25 16:45:42 2012 @@ -250,7 +250,8 @@ TRACE("Estimated buffer size %u\n", NodeSize * NodeCount);
/* Set 'Configuration Data' value */ - Size = sizeof(CM_PARTIAL_RESOURCE_LIST) + (NodeSize * NodeCount); + Size = sizeof(CM_PARTIAL_RESOURCE_LIST) + + sizeof(CM_PNP_BIOS_INSTALLATION_CHECK) + (NodeSize * NodeCount); PartialResourceList = MmHeapAlloc(Size); if (PartialResourceList == NULL) { @@ -268,8 +269,8 @@ PartialResourceList->PartialDescriptors[0].ShareDisposition = CmResourceShareUndetermined;
- Ptr = (char *)(((ULONG_PTR)&PartialResourceList->PartialDescriptors[0]) + - sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR)); + /* The buffer starts after PartialResourceList->PartialDescriptors[0] */ + Ptr = (char *)(PartialResourceList + 1);
/* Set instalation check data */ memcpy (Ptr, InstData, sizeof(CM_PNP_BIOS_INSTALLATION_CHECK)); @@ -291,6 +292,12 @@ DeviceNode->Node, DeviceNode->Size, DeviceNode->Size); + + if (PnpBufferSize + DeviceNode->Size > Size) + { + ERR("Buffer too small!\n"); + break; + }
memcpy (Ptr, DeviceNode,