Author: fireball Date: Sun Jan 4 07:43:08 2009 New Revision: 38561 URL: http://svn.reactos.org/svn/reactos?rev=38561&view=rev Log: Dmitry Chapyshev - Add buffer length checks to NtQueryInformationThread. Modified: trunk/reactos/ntoskrnl/ps/query.c Modified: trunk/reactos/ntoskrnl/ps/query.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ps/query.c?rev=38… ============================================================================== --- trunk/reactos/ntoskrnl/ps/query.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ps/query.c [iso-8859-1] Sun Jan 4 07:43:08 2009 @@ -1200,6 +1200,14 @@ /* Basic thread information */ case ThreadBasicInformation: + /* Set return length */ + Length = sizeof(THREAD_BASIC_INFORMATION); + + if (ThreadInformationLength != Length) + { + Status = STATUS_INFO_LENGTH_MISMATCH; + break; + } /* Protect writes with SEH */ _SEH2_TRY { @@ -1210,9 +1218,6 @@ ThreadBasicInfo->AffinityMask = Thread->Tcb.Affinity; ThreadBasicInfo->Priority = Thread->Tcb.Priority; ThreadBasicInfo->BasePriority = KeQueryBasePriorityThread(&Thread->Tcb); - - /* Set return length */ - Length = sizeof(THREAD_BASIC_INFORMATION); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1225,6 +1230,14 @@ /* Thread time information */ case ThreadTimes: + /* Set the return length */ + Length = sizeof(KERNEL_USER_TIMES); + + if (ThreadInformationLength != Length) + { + Status = STATUS_INFO_LENGTH_MISMATCH; + break; + } /* Protect writes with SEH */ _SEH2_TRY { @@ -1235,9 +1248,6 @@ 100000LL; ThreadTime->CreateTime = Thread->CreateTime; ThreadTime->ExitTime = Thread->ExitTime; - - /* Set the return length */ - Length = sizeof(KERNEL_USER_TIMES); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1249,14 +1259,19 @@ case ThreadQuerySetWin32StartAddress: + /* Set the return length*/ + Length = sizeof(PVOID); + + if (ThreadInformationLength != Length) + { + Status = STATUS_INFO_LENGTH_MISMATCH; + break; + } /* Protect write with SEH */ _SEH2_TRY { /* Return the Win32 Start Address */ *(PVOID*)ThreadInformation = Thread->Win32StartAddress; - - /* Set the return length*/ - Length = sizeof(PVOID); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1268,14 +1283,19 @@ case ThreadPerformanceCount: + /* Set the return length*/ + Length = sizeof(LARGE_INTEGER); + + if (ThreadInformationLength != Length) + { + Status = STATUS_INFO_LENGTH_MISMATCH; + break; + } /* Protect write with SEH */ _SEH2_TRY { /* FIXME */ (*(PLARGE_INTEGER)ThreadInformation).QuadPart = 0; - - /* Set the return length*/ - Length = sizeof(LARGE_INTEGER); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1287,6 +1307,14 @@ case ThreadAmILastThread: + /* Set the return length*/ + Length = sizeof(ULONG); + + if (ThreadInformationLength != Length) + { + Status = STATUS_INFO_LENGTH_MISMATCH; + break; + } /* Protect write with SEH */ _SEH2_TRY { @@ -1296,9 +1324,6 @@ &Thread->ThreadsProcess-> ThreadListHead) ? TRUE : FALSE); - - /* Set the return length*/ - Length = sizeof(ULONG); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1310,6 +1335,14 @@ case ThreadIsIoPending: + /* Set the return length*/ + Length = sizeof(ULONG); + + if (ThreadInformationLength != Length) + { + Status = STATUS_INFO_LENGTH_MISMATCH; + break; + } /* Raise the IRQL to protect the IRP list */ KeRaiseIrql(APC_LEVEL, &OldIrql); @@ -1318,9 +1351,6 @@ { /* Check if the IRP list is empty or not */ *(PULONG)ThreadInformation = !IsListEmpty(&Thread->IrpList); - - /* Set the return length*/ - Length = sizeof(ULONG); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {