https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a748350fc9c342149e7f8…
commit a748350fc9c342149e7f8dc798a6c696f4ec9ef3
Author: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org>
AuthorDate: Sun Dec 27 00:33:32 2020 +0100
Commit: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org>
CommitDate: Sun Dec 27 00:52:00 2020 +0100
[NTOS:IO] Fail if the driver name passed to NtLoadDriver() is an empty string.
Otherwise an assertion on the driver name is hit later on.
Can be reproduced by calling NtLoadDriver with a valid UNICODE_STRING
of Length == 0.
---
ntoskrnl/io/iomgr/driver.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c
index 9f7d5ed5aba..3b033f9ab32 100644
--- a/ntoskrnl/io/iomgr/driver.c
+++ b/ntoskrnl/io/iomgr/driver.c
@@ -1251,7 +1251,7 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN
UnloadPnpDrivers)
DPRINT("IopUnloadDriver('%wZ', %u)\n", &CapturedServiceName,
UnloadPnpDrivers);
/* We need a service name */
- if (CapturedServiceName.Length == 0)
+ if (CapturedServiceName.Length == 0 || CapturedServiceName.Buffer == NULL)
{
ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
return STATUS_INVALID_PARAMETER;
@@ -2161,6 +2161,13 @@ NtLoadDriver(IN PUNICODE_STRING DriverServiceName)
DPRINT("NtLoadDriver('%wZ')\n", &CapturedServiceName);
+ /* We need a service name */
+ if (CapturedServiceName.Length == 0 || CapturedServiceName.Buffer == NULL)
+ {
+ ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
+ return STATUS_INVALID_PARAMETER;
+ }
+
/* Load driver and call its entry point */
DriverObject = NULL;
Status = IopLoadUnloadDriver(&CapturedServiceName, &DriverObject);