[ros-diffs] [tfaber] 57360: [KERNEL32] - Fix buffer overflow in PeekNamedPipe

22 Sep 2012

Author: tfaber
Date: Sat Sep 22 09:18:34 2012
New Revision: 57360
URL: http://svn.reactos.org/svn/reactos?rev=57360&view=rev
Log:
[KERNEL32]
- Fix buffer overflow in PeekNamedPipe
Modified:
    trunk/reactos/dll/win32/kernel32/client/file/npipe.c
Modified: trunk/reactos/dll/win32/kernel32/client/file/npipe.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/client/f...
==============================================================================

--- trunk/reactos/dll/win32/kernel32/client/file/npipe.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/kernel32/client/file/npipe.c [iso-8859-1] Sat Sep 22 09:18:34 2012
@@ -1173,7 +1173,7 @@
     NTSTATUS Status;
/* Calculate the buffer space that we'll need and allocate it */
-    BufferSize = nBufferSize + sizeof(FILE_PIPE_PEEK_BUFFER);
+    BufferSize = FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[nBufferSize]);
     Buffer = RtlAllocateHeap(RtlGetProcessHeap(), 0, BufferSize);
     if (Buffer == NULL)
     {
@@ -1215,11 +1215,15 @@
/* Check if caller requested bytes available */
     if (lpTotalBytesAvail)
+    {
+        /* Return bytes available */
         *lpTotalBytesAvail = Buffer->ReadDataAvailable;
+    }
/* Calculate the bytes returned, minus our structure overhead */
     BytesRead = (ULONG)(Iosb.Information -
                         FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0]));
+    ASSERT(BytesRead <= nBufferSize);
/* Check if caller requested bytes read */
     if (lpBytesRead)

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [tfaber] 57360: [KERNEL32] - Fix buffer overflow in PeekNamedPipe