Author: dgorbachev
Date: Mon Dec 7 02:30:32 2009
New Revision: 44449
URL:
http://svn.reactos.org/svn/reactos?rev=44449&view=rev
Log:
Avoid buffer overflow (bug #4693).
Modified:
trunk/reactos/dll/win32/msafd/misc/dllmain.c
Modified: trunk/reactos/dll/win32/msafd/misc/dllmain.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msafd/misc/dllma…
==============================================================================
--- trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] Mon Dec 7 02:30:32 2009
@@ -560,9 +560,15 @@
PAFD_BIND_DATA BindData;
PSOCKET_INFORMATION Socket = NULL;
NTSTATUS Status;
- UCHAR BindBuffer[0x1A];
SOCKADDR_INFO SocketInfo;
HANDLE SockEvent;
+
+ /* See below */
+ BindData = HeapAlloc(GlobalHeap, 0, 0xA + SocketAddressLength);
+ if (!BindData)
+ {
+ return MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL);
+ }
Status = NtCreateEvent(&SockEvent,
GENERIC_READ | GENERIC_WRITE,
@@ -570,14 +576,14 @@
1,
FALSE);
- if( !NT_SUCCESS(Status) )
- return -1;
+ if (!NT_SUCCESS(Status))
+ {
+ HeapFree(GlobalHeap, 0, BindData);
+ return SOCKET_ERROR;
+ }
/* Get the Socket Structure associate to this Socket*/
Socket = GetSocketStructure(Handle);
-
- /* Dynamic Structure...ugh */
- BindData = (PAFD_BIND_DATA)BindBuffer;
/* Set up Address in TDI Format */
BindData->Address.TAAddressCount = 1;
@@ -633,9 +639,9 @@
Socket->SharedData.State = SocketBound;
Socket->TdiAddressHandle = (HANDLE)IOSB.Information;
- NtClose( SockEvent );
-
- return MsafdReturnWithErrno ( Status, lpErrno, 0, NULL );
+ NtClose(SockEvent);
+ HeapFree(GlobalHeap, 0, BindData);
+ return MsafdReturnWithErrno(Status, lpErrno, 0, NULL);
}
int