11 Jan
2020
11 Jan
'20
1:11 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=bd7121862a58f1dd10587…
commit bd7121862a58f1dd10587fab67a8479b0d834207
Author: Thomas Faber <thomas.faber(a)reactos.org>
AuthorDate: Sat Jan 11 14:08:20 2020 +0100
Commit: Thomas Faber <thomas.faber(a)reactos.org>
CommitDate: Sat Jan 11 14:10:55 2020 +0100
[NTFS] Fix use after free in failure case of NtfsMountVolume.
NtfsGetVolumeData frees FileRecLookasideList in case of failure, so don't
free it again.
Dereferencing NewDeviceObject invalidates Vcb.
---
drivers/filesystems/ntfs/fsctl.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/filesystems/ntfs/fsctl.c b/drivers/filesystems/ntfs/fsctl.c
index a8c2a425619..a08a227c3dd 100644
--- a/drivers/filesystems/ntfs/fsctl.c
+++ b/drivers/filesystems/ntfs/fsctl.c
@@ -452,8 +452,6 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
if (!NT_SUCCESS(Status))
goto ByeBye;
- Lookaside = TRUE;
-
NewDeviceObject->Flags |= DO_DIRECT_IO;
Vcb = (PVOID)NewDeviceObject->DeviceExtension;
RtlZeroMemory(Vcb, sizeof(NTFS_VCB));
@@ -466,6 +464,8 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
if (!NT_SUCCESS(Status))
goto ByeBye;
+ Lookaside = TRUE;
+
NewDeviceObject->Vpb = DeviceToMount->Vpb;
Vcb->StorageDevice = DeviceToMount;
@@ -564,11 +564,11 @@ ByeBye:
if (Ccb)
ExFreePool(Ccb);
- if (NewDeviceObject)
- IoDeleteDevice(NewDeviceObject);
-
if (Lookaside)
ExDeleteNPagedLookasideList(&Vcb->FileRecLookasideList);
+
+ if (NewDeviceObject)
+ IoDeleteDevice(NewDeviceObject);
}
DPRINT("NtfsMountVolume() done (Status: %lx)\n", Status);
1811
days inactive
1811
days old
0 comments
1 participants
participants (1)
-
Thomas Faber