https://git.reactos.org/?p=reactos.git;a=commitdiff;h=8d91d4c8e1907ca50c348… commit 8d91d4c8e1907ca50c3489e8f4868cf5827f1d5c Author: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org> AuthorDate: Tue Jan 28 14:45:15 2025 +0100 Commit: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org> CommitDate: Tue Jan 28 15:29:40 2025 +0100 [MOUNTMGR] MountMgrMountedDeviceArrival(): Fix pool buffer double-free. `DeviceInformation->DeviceName.Buffer` was already freed via the previous `FreePool(TargetDeviceName.Buffer);` call, since `DeviceInformation->DeviceName` was set to `TargetDeviceName` above in the code. This resulted in a pool double-free, triggering a corruption of the pool, and a BSoD. What had to be freed instead, is `DeviceInformation->SymbolicName.Buffer` that is allocated at the beginning of the function. --- drivers/storage/mountmgr/mountmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/storage/mountmgr/mountmgr.c b/drivers/storage/mountmgr/mountmgr.c index 4e1552791bc..6603df3f53b 100644 --- a/drivers/storage/mountmgr/mountmgr.c +++ b/drivers/storage/mountmgr/mountmgr.c @@ -995,7 +995,7 @@ MountMgrMountedDeviceArrival(IN PDEVICE_EXTENSION DeviceExtension, FreePool(UniqueId); FreePool(TargetDeviceName.Buffer); - FreePool(DeviceInformation->DeviceName.Buffer); + FreePool(DeviceInformation->SymbolicName.Buffer); FreePool(DeviceInformation); KeReleaseSemaphore(&(DeviceExtension->DeviceLock), IO_NO_INCREMENT, 1, FALSE);