https://git.reactos.org/?p=reactos.git;a=commitdiff;h=63977328b1b163d2cadb05...
commit 63977328b1b163d2cadb05b52330ae12910b7d98 Author: Thomas Faber thomas.faber@reactos.org AuthorDate: Sat Jan 19 11:35:18 2019 +0100 Commit: Thomas Faber thomas.faber@reactos.org CommitDate: Sat Feb 2 22:50:02 2019 +0100
[NTOSKRNL] Guard against negative InformationClass enum values. CORE-15651 --- ntoskrnl/ex/sysinfo.c | 6 ++++-- ntoskrnl/io/iomgr/iofunc.c | 18 ++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/ntoskrnl/ex/sysinfo.c b/ntoskrnl/ex/sysinfo.c index a7883d4944..4949705ab2 100644 --- a/ntoskrnl/ex/sysinfo.c +++ b/ntoskrnl/ex/sysinfo.c @@ -2847,7 +2847,8 @@ NtQuerySystemInformation( /* * Check if the request is valid. */ - if (SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) + if (SystemInformationClass < MIN_SYSTEM_INFO_CLASS || + SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) { _SEH2_YIELD(return STATUS_INVALID_INFO_CLASS); } @@ -2871,7 +2872,8 @@ NtQuerySystemInformation( /* * Check if the request is valid. */ - if (SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) + if (SystemInformationClass < MIN_SYSTEM_INFO_CLASS || + SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) { _SEH2_YIELD(return STATUS_INVALID_INFO_CLASS); } diff --git a/ntoskrnl/io/iomgr/iofunc.c b/ntoskrnl/io/iomgr/iofunc.c index 61fd88f8fd..f2d3e59dd2 100644 --- a/ntoskrnl/io/iomgr/iofunc.c +++ b/ntoskrnl/io/iomgr/iofunc.c @@ -2158,7 +2158,8 @@ NtQueryInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopQueryOperationLength[FileInformationClass])) { /* Invalid class */ @@ -2192,7 +2193,8 @@ NtQueryInformationFile(IN HANDLE FileHandle, else { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopQueryOperationLength[FileInformationClass])) { /* Invalid class */ @@ -2959,7 +2961,8 @@ NtSetInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopSetOperationLength[FileInformationClass])) { /* Invalid class */ @@ -2995,7 +2998,8 @@ NtSetInformationFile(IN HANDLE FileHandle, else { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopSetOperationLength[FileInformationClass])) { /* Invalid class */ @@ -3991,7 +3995,8 @@ NtQueryVolumeInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FsInformationClass >= FileFsMaximumInformation) || + if ((FsInformationClass < 0) || + (FsInformationClass >= FileFsMaximumInformation) || !(IopQueryFsOperationLength[FsInformationClass])) { /* Invalid class */ @@ -4163,7 +4168,8 @@ NtSetVolumeInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FsInformationClass >= FileFsMaximumInformation) || + if ((FsInformationClass < 0) || + (FsInformationClass >= FileFsMaximumInformation) || !(IopSetFsOperationLength[FsInformationClass])) { /* Invalid class */