https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ccb91bebbe1c44fb16016… commit ccb91bebbe1c44fb160165c6e717a56289d3ab5c Author: Thomas Faber <thomas.faber(a)reactos.org> AuthorDate: Sun Mar 24 15:04:37 2019 +0100 Commit: Thomas Faber <thomas.faber(a)reactos.org> CommitDate: Sun May 5 10:39:07 2019 +0200 [NTOS:PNP] Avoid a fixed-length stack buffer in IopActionConfigureChildServices. CORE-15882 --- ntoskrnl/io/pnpmgr/pnpmgr.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/ntoskrnl/io/pnpmgr/pnpmgr.c b/ntoskrnl/io/pnpmgr/pnpmgr.c index 1362a89f03..b4f59f4d17 100644 --- a/ntoskrnl/io/pnpmgr/pnpmgr.c +++ b/ntoskrnl/io/pnpmgr/pnpmgr.c @@ -2854,16 +2854,11 @@ IopActionConfigureChildServices(PDEVICE_NODE DeviceNode, if (!(DeviceNode->Flags & (DNF_DISABLED | DNF_STARTED | DNF_ADDED))) { - WCHAR RegKeyBuffer[MAX_PATH]; UNICODE_STRING RegKey; /* Install the service for this if it's in the CDDB */ IopInstallCriticalDevice(DeviceNode); - RegKey.Length = 0; - RegKey.MaximumLength = sizeof(RegKeyBuffer); - RegKey.Buffer = RegKeyBuffer; - /* * Retrieve configuration from Enum key */ @@ -2885,11 +2880,24 @@ IopActionConfigureChildServices(PDEVICE_NODE DeviceNode, QueryTable[1].DefaultData = L""; QueryTable[1].DefaultLength = 0; - RtlAppendUnicodeToString(&RegKey, L"\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\"); + RegKey.Length = 0; + RegKey.MaximumLength = sizeof(ENUM_ROOT) + sizeof(WCHAR) + DeviceNode->InstancePath.Length; + RegKey.Buffer = ExAllocatePoolWithTag(PagedPool, + RegKey.MaximumLength, + TAG_IO); + if (RegKey.Buffer == NULL) + { + IopDeviceNodeSetFlag(DeviceNode, DNF_DISABLED); + return STATUS_INSUFFICIENT_RESOURCES; + } + + RtlAppendUnicodeToString(&RegKey, ENUM_ROOT); + RtlAppendUnicodeToString(&RegKey, L"\\"); RtlAppendUnicodeStringToString(&RegKey, &DeviceNode->InstancePath); Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, RegKey.Buffer, QueryTable, NULL, NULL); + ExFreePoolWithTag(RegKey.Buffer, TAG_IO); if (!NT_SUCCESS(Status)) {