[reactos] 02/02: [NTOS:IO] Fix similar bugs in IopGetDriverNames(), IopInitializeBuiltinDriver() and IopLoadDriver(). - Ros-diffs

16 Jun 2021

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0d28f271565c5ec3e04b6…

commit 0d28f271565c5ec3e04b6277d83dd6b341e680eb
Author:     Hermès Bélusca-Maïto &lt;hermes.belusca-maito(a)reactos.org&gt;
AuthorDate: Thu Jun 10 21:20:17 2021 +0200
Commit:     Hermès Bélusca-Maïto &lt;hermes.belusca-maito(a)reactos.org&gt;
CommitDate: Wed Jun 16 22:14:01 2021 +0200

    [NTOS:IO] Fix similar bugs in IopGetDriverNames(), IopInitializeBuiltinDriver() and
IopLoadDriver().
    
    - As they are initialized, some registry string values must be NULL-terminated.
    - When retrieving REG_DWORD registry values, validate their length.
---
 ntoskrnl/io/iomgr/driver.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c
index 4fd092662d4..6d82bfc536e 100644
--- a/ntoskrnl/io/iomgr/driver.c
+++ b/ntoskrnl/io/iomgr/driver.c
@@ -144,7 +144,7 @@ IopGetDriverNames(
             return STATUS_ILL_FORMED_SERVICE_ENTRY;
         }
 
-        driverName.Length = kvInfo->DataLength - sizeof(WCHAR);
+        driverName.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
         driverName.MaximumLength = kvInfo->DataLength;
         driverName.Buffer = ExAllocatePoolWithTag(NonPagedPool, driverName.MaximumLength,
TAG_IO);
         if (!driverName.Buffer)
@@ -156,6 +156,7 @@ IopGetDriverNames(
         RtlMoveMemory(driverName.Buffer,
                       (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
                       driverName.Length);
+        driverName.Buffer[driverName.Length / sizeof(WCHAR)] = UNICODE_NULL;
         ExFreePool(kvInfo);
     }
 
@@ -204,7 +205,7 @@ IopGetDriverNames(
             ExFreePoolWithTag(basicInfo, TAG_IO);
             return status;
         }
-        if (kvInfo->Type != REG_DWORD)
+        if (kvInfo->Type != REG_DWORD || kvInfo->DataLength != sizeof(ULONG))
         {
             ExFreePool(kvInfo);
             ExFreePoolWithTag(basicInfo, TAG_IO); // container for serviceName
@@ -897,7 +898,7 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)
         {
             goto Cleanup;
         }
-        if (kvInfo->Type != REG_DWORD)
+        if (kvInfo->Type != REG_DWORD || kvInfo->DataLength != sizeof(ULONG))
         {
             ExFreePool(kvInfo);
             goto Cleanup;
@@ -924,7 +925,7 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)
                 continue;
             }
 
-            instancePath.Length = kvInfo->DataLength - sizeof(WCHAR);
+            instancePath.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
             instancePath.MaximumLength = kvInfo->DataLength;
             instancePath.Buffer = ExAllocatePoolWithTag(NonPagedPool,
                                                         instancePath.MaximumLength,
@@ -932,8 +933,9 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)
             if (instancePath.Buffer)
             {
                 RtlMoveMemory(instancePath.Buffer,
-                          (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
-                          instancePath.Length);
+                              (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
+                              instancePath.Length);
+                instancePath.Buffer[instancePath.Length / sizeof(WCHAR)] = UNICODE_NULL;
 
                 PDEVICE_OBJECT pdo =
IopGetDeviceObjectFromDeviceInstance(&instancePath);
                 PiQueueDeviceAction(pdo, PiActionAddBootDevices, NULL, NULL);
@@ -1900,6 +1902,7 @@ IopLoadDriver(
         RtlMoveMemory(ImagePath.Buffer,
                       (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
                       ImagePath.Length);
+        ImagePath.Buffer[ImagePath.Length / sizeof(WCHAR)] = UNICODE_NULL;
         ExFreePool(kvInfo);
     }
     else


    