Author: dgorbachev Date: Mon Dec 7 02:30:32 2009 New Revision: 44449
URL: http://svn.reactos.org/svn/reactos?rev=44449&view=rev Log: Avoid buffer overflow (bug #4693).
Modified: trunk/reactos/dll/win32/msafd/misc/dllmain.c
Modified: trunk/reactos/dll/win32/msafd/misc/dllmain.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msafd/misc/dllmai... ============================================================================== --- trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] Mon Dec 7 02:30:32 2009 @@ -560,9 +560,15 @@ PAFD_BIND_DATA BindData; PSOCKET_INFORMATION Socket = NULL; NTSTATUS Status; - UCHAR BindBuffer[0x1A]; SOCKADDR_INFO SocketInfo; HANDLE SockEvent; + + /* See below */ + BindData = HeapAlloc(GlobalHeap, 0, 0xA + SocketAddressLength); + if (!BindData) + { + return MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL); + }
Status = NtCreateEvent(&SockEvent, GENERIC_READ | GENERIC_WRITE, @@ -570,14 +576,14 @@ 1, FALSE);
- if( !NT_SUCCESS(Status) ) - return -1; + if (!NT_SUCCESS(Status)) + { + HeapFree(GlobalHeap, 0, BindData); + return SOCKET_ERROR; + }
/* Get the Socket Structure associate to this Socket*/ Socket = GetSocketStructure(Handle); - - /* Dynamic Structure...ugh */ - BindData = (PAFD_BIND_DATA)BindBuffer;
/* Set up Address in TDI Format */ BindData->Address.TAAddressCount = 1; @@ -633,9 +639,9 @@ Socket->SharedData.State = SocketBound; Socket->TdiAddressHandle = (HANDLE)IOSB.Information;
- NtClose( SockEvent ); - - return MsafdReturnWithErrno ( Status, lpErrno, 0, NULL ); + NtClose(SockEvent); + HeapFree(GlobalHeap, 0, BindData); + return MsafdReturnWithErrno(Status, lpErrno, 0, NULL); }
int
-
dgorbachev@svn.reactos.org