https://git.reactos.org/?p=reactos.git;a=commitdiff;h=2242ca6920d8c6f9734d11...
commit 2242ca6920d8c6f9734d118aa4698cbddf83da8f Author: Thomas Faber thomas.faber@reactos.org AuthorDate: Sat May 2 17:42:40 2020 +0200 Commit: Thomas Faber thomas.faber@reactos.org CommitDate: Sun May 17 20:56:16 2020 +0200
[NTOS:PNP] Avoid an unnecessary stack buffer in PnpRootCreateDevice. CORE-15882 --- ntoskrnl/io/pnpmgr/pnproot.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/ntoskrnl/io/pnpmgr/pnproot.c b/ntoskrnl/io/pnpmgr/pnproot.c index 5e2ec7473a0..e89426acb00 100644 --- a/ntoskrnl/io/pnpmgr/pnproot.c +++ b/ntoskrnl/io/pnpmgr/pnproot.c @@ -191,7 +191,7 @@ PnpRootCreateDevice( { PPNPROOT_FDO_DEVICE_EXTENSION DeviceExtension; PPNPROOT_PDO_DEVICE_EXTENSION PdoDeviceExtension; - WCHAR DevicePath[MAX_PATH + 1]; + UNICODE_STRING DevicePath; WCHAR InstancePath[5]; PPNPROOT_DEVICE Device = NULL; NTSTATUS Status; @@ -207,7 +207,19 @@ PnpRootCreateDevice(
DPRINT("Creating a PnP root device for service '%wZ'\n", ServiceName);
- _snwprintf(DevicePath, sizeof(DevicePath) / sizeof(WCHAR), L"%s\%wZ", REGSTR_KEY_ROOTENUM, ServiceName); + DevicePath.Length = 0; + DevicePath.MaximumLength = sizeof(REGSTR_KEY_ROOTENUM) + sizeof(L'\') + ServiceName->Length; + DevicePath.Buffer = ExAllocatePoolWithTag(PagedPool, + DevicePath.MaximumLength, + TAG_PNP_ROOT); + if (DevicePath.Buffer == NULL) + { + DPRINT1("ExAllocatePoolWithTag() failed\n"); + Status = STATUS_NO_MEMORY; + goto cleanup; + } + RtlAppendUnicodeToString(&DevicePath, REGSTR_KEY_ROOTENUM L"\"); + RtlAppendUnicodeStringToString(&DevicePath, ServiceName);
/* Initialize a PNPROOT_DEVICE structure */ Device = ExAllocatePoolWithTag(PagedPool, sizeof(PNPROOT_DEVICE), TAG_PNP_ROOT); @@ -218,11 +230,8 @@ PnpRootCreateDevice( goto cleanup; } RtlZeroMemory(Device, sizeof(PNPROOT_DEVICE)); - if (!RtlCreateUnicodeString(&Device->DeviceID, DevicePath)) - { - Status = STATUS_NO_MEMORY; - goto cleanup; - } + Device->DeviceID = DevicePath; + RtlInitEmptyUnicodeString(&DevicePath, NULL, 0);
Status = IopOpenRegistryKeyEx(&EnumHandle, NULL, &EnumKeyName, KEY_READ); if (NT_SUCCESS(Status)) @@ -258,7 +267,7 @@ tryagain: for (NextInstance = 0; NextInstance <= 9999; NextInstance++) { _snwprintf(InstancePath, sizeof(InstancePath) / sizeof(WCHAR), L"%04lu", NextInstance); - Status = LocateChildDevice(DeviceExtension, DevicePath, InstancePath, &Device); + Status = LocateChildDevice(DeviceExtension, Device->DeviceID.Buffer, InstancePath, &Device); if (Status == STATUS_NO_SUCH_DEVICE) break; } @@ -272,7 +281,7 @@ tryagain: }
_snwprintf(InstancePath, sizeof(InstancePath) / sizeof(WCHAR), L"%04lu", NextInstance); - Status = LocateChildDevice(DeviceExtension, DevicePath, InstancePath, &Device); + Status = LocateChildDevice(DeviceExtension, Device->DeviceID.Buffer, InstancePath, &Device); if (Status != STATUS_NO_SUCH_DEVICE || NextInstance > 9999) { DPRINT1("NextInstance value is corrupt! (%lu)\n", NextInstance); @@ -377,6 +386,7 @@ cleanup: RtlFreeUnicodeString(&Device->InstanceID); ExFreePoolWithTag(Device, TAG_PNP_ROOT); } + RtlFreeUnicodeString(&DevicePath); if (DeviceKeyHandle != NULL) ObCloseHandle(DeviceKeyHandle, KernelMode); return Status;