[fireball] 31565: - Get rid of possible buffer overflows and memory corruptions due to an assumption that UNICODE_STRING's buffers are always NULL-terminated. - Ros-diffs

2 Jan 2008

Author: fireball
Date: Wed Jan  2 19:06:03 2008
New Revision: 31565
URL: http://svn.reactos.org/svn/reactos?rev=31565&view=rev
Log:
- Get rid of possible buffer overflows and memory corruptions due to an assumption that UNICODE_STRING's buffers are always NULL-terminated.
Modified:
    trunk/reactos/ntoskrnl/io/iomgr/driver.c
    trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/driver.c?...
==============================================================================

--- trunk/reactos/ntoskrnl/io/iomgr/driver.c (original)
+++ trunk/reactos/ntoskrnl/io/iomgr/driver.c Wed Jan  2 19:06:03 2008
@@ -222,27 +222,31 @@
if (InputImagePath.Length == 0)
    {
-      ImagePath->Length = (33 * sizeof(WCHAR)) + ServiceName->Length;
-      ImagePath->MaximumLength = ImagePath->Length + sizeof(UNICODE_NULL);
+      ImagePath->Length = 0;
+      ImagePath->MaximumLength =
+          (33 * sizeof(WCHAR)) + ServiceName->Length + sizeof(UNICODE_NULL);
       ImagePath->Buffer = ExAllocatePool(NonPagedPool, ImagePath->MaximumLength);
       if (ImagePath->Buffer == NULL)
          return STATUS_NO_MEMORY;
-      wcscpy(ImagePath->Buffer, L"\SystemRoot\system32\drivers\");
-      wcscat(ImagePath->Buffer, ServiceName->Buffer);
-      wcscat(ImagePath->Buffer, L".sys");
+      RtlAppendUnicodeToString(ImagePath, L"\SystemRoot\system32\drivers\");
+      RtlAppendUnicodeStringToString(ImagePath, ServiceName);
+      RtlAppendUnicodeToString(ImagePath, L".sys");
    } else
    if (InputImagePath.Buffer[0] != L'\')
    {
-      ImagePath->Length = (12 * sizeof(WCHAR)) + InputImagePath.Length;
-      ImagePath->MaximumLength = ImagePath->Length + sizeof(UNICODE_NULL);
+      ImagePath->Length = 0;
+      ImagePath->MaximumLength =
+          12 * sizeof(WCHAR) + InputImagePath.Length + sizeof(UNICODE_NULL);
       ImagePath->Buffer = ExAllocatePool(NonPagedPool, ImagePath->MaximumLength);
       if (ImagePath->Buffer == NULL)
          return STATUS_NO_MEMORY;
-      wcscpy(ImagePath->Buffer, L"\SystemRoot\");
-      wcscat(ImagePath->Buffer, InputImagePath.Buffer);
-      ExFreePool(InputImagePath.Buffer);
+      RtlAppendUnicodeToString(ImagePath, L"\SystemRoot\");
+      RtlAppendUnicodeStringToString(ImagePath, &InputImagePath);
+
+      /* Free caller's string */
+      RtlFreeUnicodeString(&InputImagePath);
    }
return STATUS_SUCCESS;
Modified: trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c...
==============================================================================
--- trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c (original)
+++ trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c Wed Jan  2 19:06:03 2008
@@ -1593,7 +1593,6 @@
                      PUNICODE_STRING ParentIdPrefix)
 {
    ULONG KeyNameBufferLength;
-   PWSTR KeyNameBuffer = NULL;
    PKEY_VALUE_PARTIAL_INFORMATION ParentIdPrefixInformation = NULL;
    UNICODE_STRING KeyName;
    UNICODE_STRING KeyValue;
@@ -1620,15 +1619,20 @@
        Status = STATUS_INSUFFICIENT_RESOURCES;
        goto cleanup;
    }
-   KeyNameBuffer = ExAllocatePool(PagedPool, (49 * sizeof(WCHAR)) + DeviceNode->Parent->InstancePath.Length);
-   if (!KeyNameBuffer)
+
+
+   KeyName.Buffer = ExAllocatePool(PagedPool, (49 * sizeof(WCHAR)) + DeviceNode->Parent->InstancePath.Length);
+   if (!KeyName.Buffer)
    {
        Status = STATUS_INSUFFICIENT_RESOURCES;
        goto cleanup;
    }
-   wcscpy(KeyNameBuffer, L"\Registry\Machine\System\CurrentControlSet\Enum\");
-   wcscat(KeyNameBuffer, DeviceNode->Parent->InstancePath.Buffer);
-   RtlInitUnicodeString(&KeyName, KeyNameBuffer);
+   KeyName.Length = 0;
+   KeyName.MaximumLength = (49 * sizeof(WCHAR)) + DeviceNode->Parent->InstancePath.Length;
+
+   RtlAppendUnicodeToString(&KeyName, L"\Registry\Machine\System\CurrentControlSet\Enum\");
+   RtlAppendUnicodeStringToString(&KeyName, &DeviceNode->Parent->InstancePath);
+
    Status = IopOpenRegistryKeyEx(&hKey, NULL, &KeyName, KEY_QUERY_VALUE | KEY_SET_VALUE);
    if (!NT_SUCCESS(Status))
       goto cleanup;
@@ -1678,7 +1682,7 @@
       Status = RtlDuplicateUnicodeString(RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE, &KeyValue, ParentIdPrefix);
    }
    ExFreePool(ParentIdPrefixInformation);
-   ExFreePool(KeyNameBuffer);
+   RtlFreeUnicodeString(&KeyName);
    if (hKey != NULL)
       ZwClose(hKey);
    return Status;
@@ -1713,7 +1717,6 @@
    WCHAR InstancePath[MAX_PATH];
    IO_STACK_LOCATION Stack;
    NTSTATUS Status;
-   PWSTR KeyBuffer;
    PWSTR Ptr;
    USHORT Length;
    USHORT TotalLength;
@@ -1851,18 +1854,11 @@
    /*
     * Create registry key for the instance id, if it doesn't exist yet
     */
-   KeyBuffer = ExAllocatePool(
-      PagedPool,
-      (49 * sizeof(WCHAR)) + DeviceNode->InstancePath.Length);
-   wcscpy(KeyBuffer, L"\Registry\Machine\System\CurrentControlSet\Enum\");
-   wcscat(KeyBuffer, DeviceNode->InstancePath.Buffer);
-   Status = IopCreateDeviceKeyPath(/*KeyBuffer*/&DeviceNode->InstancePath, &InstanceKey);
-   ExFreePool(KeyBuffer);
+   Status = IopCreateDeviceKeyPath(&DeviceNode->InstancePath, &InstanceKey);
    if (!NT_SUCCESS(Status))
    {
       DPRINT1("Failed to create the instance key! (Status %lx)\n", Status);
    }
-
{
       /* Set 'Capabilities' value */

    