[reactos] 01/01: [NTFS] Fix use after free in failure case of NtfsMountVolume. - Ros-diffs

11 Jan 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=bd7121862a58f1dd10587f...
commit bd7121862a58f1dd10587fab67a8479b0d834207
Author:     Thomas Faber thomas.faber@reactos.org
AuthorDate: Sat Jan 11 14:08:20 2020 +0100
Commit:     Thomas Faber thomas.faber@reactos.org
CommitDate: Sat Jan 11 14:10:55 2020 +0100
[NTFS] Fix use after free in failure case of NtfsMountVolume.
NtfsGetVolumeData frees FileRecLookasideList in case of failure, so don't
    free it again.
    Dereferencing NewDeviceObject invalidates Vcb.
---
 drivers/filesystems/ntfs/fsctl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/filesystems/ntfs/fsctl.c b/drivers/filesystems/ntfs/fsctl.c
index a8c2a425619..a08a227c3dd 100644
--- a/drivers/filesystems/ntfs/fsctl.c
+++ b/drivers/filesystems/ntfs/fsctl.c
@@ -452,8 +452,6 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
     if (!NT_SUCCESS(Status))
         goto ByeBye;
-    Lookaside = TRUE;
-
     NewDeviceObject->Flags |= DO_DIRECT_IO;
     Vcb = (PVOID)NewDeviceObject->DeviceExtension;
     RtlZeroMemory(Vcb, sizeof(NTFS_VCB));
@@ -466,6 +464,8 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
     if (!NT_SUCCESS(Status))
         goto ByeBye;
+    Lookaside = TRUE;
+
     NewDeviceObject->Vpb = DeviceToMount->Vpb;
Vcb->StorageDevice = DeviceToMount;
@@ -564,11 +564,11 @@ ByeBye:
         if (Ccb)
             ExFreePool(Ccb);
-        if (NewDeviceObject)
-            IoDeleteDevice(NewDeviceObject);
-
         if (Lookaside)
             ExDeleteNPagedLookasideList(&Vcb->FileRecLookasideList);
+
+        if (NewDeviceObject)
+            IoDeleteDevice(NewDeviceObject);
     }
DPRINT("NtfsMountVolume() done (Status: %lx)\n", Status);

    