[ros-diffs] [tkreuzer] 64903: [NTOSKRNL] - Fix potential use-after-free CID 732509 - Fix buffer size in call to ObQueryNameString

Author: tkreuzer Date: Wed Oct 22 19:20:03 2014 New Revision: 64903 URL: http://svn.reactos.org/svn/reactos?rev=64903&view=rev Log: [NTOSKRNL] - Fix potential use-after-free CID 732509 - Fix buffer size in call to ObQueryNameString Modified: trunk/reactos/ntoskrnl/io/iomgr/error.c Modified: trunk/reactos/ntoskrnl/io/iomgr/error.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/error.c?… ============================================================================== --- trunk/reactos/ntoskrnl/io/iomgr/error.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/io/iomgr/error.c [iso-8859-1] Wed Oct 22 19:20:03 2014 @@ -310,11 +310,9 @@ /* We do, query its name */ Status = ObQueryNameString(LogEntry->DeviceObject, ObjectNameInfo, - sizeof(OBJECT_NAME_INFORMATION) + - 100 - - DriverNameLength, + sizeof(Buffer), &ReturnedLength); - if ((!NT_SUCCESS(Status)) || !(ObjectNameInfo->Name.Length)) + if (!NT_SUCCESS(Status) || (ObjectNameInfo->Name.Length == 0)) { /* Setup an empty name */ ObjectNameInfo->Name.Length = 0; @@ -371,6 +369,7 @@ { ExFreePool(PoolObjectNameInfo); PoolObjectNameInfo = NULL; + ObjectNameInfo = (POBJECT_NAME_INFORMATION)&Buffer; } /* Go to the next string buffer position */