Author: pschweitzer Date: Sun Jun 21 05:40:15 2015 New Revision: 68221 URL: http://svn.reactos.org/svn/reactos?rev=68221&view=rev Log: [NTOSKRNL] Don't trust the user! Probe buffers in NtSetSystemInformation - SystemSessionCreate and in NtSetSystemInformation - SystemSessionDetach Modified: trunk/reactos/ntoskrnl/ex/sysinfo.c Modified: trunk/reactos/ntoskrnl/ex/sysinfo.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ex/sysinfo.c?rev=… ============================================================================== --- trunk/reactos/ntoskrnl/ex/sysinfo.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ex/sysinfo.c [iso-8859-1] Sun Jun 21 05:40:15 2015 @@ -2068,10 +2068,31 @@ { return STATUS_PRIVILEGE_NOT_HELD; } + + _SEH2_TRY + { + ProbeForWriteUlong(Buffer); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + _SEH2_YIELD(return _SEH2_GetExceptionCode()); + } + _SEH2_END; } Status = MmSessionCreate(&SessionId); - if (NT_SUCCESS(Status)) *(PULONG)Buffer = SessionId; + if (NT_SUCCESS(Status)) + { + _SEH2_TRY + { + *(PULONG)Buffer = SessionId; + } + _SEH2_EXCEPT(ExSystemExceptionFilter()) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + } return Status; } @@ -2091,9 +2112,21 @@ { return STATUS_PRIVILEGE_NOT_HELD; } - } - - SessionId = *(PULONG)Buffer; + + _SEH2_TRY + { + SessionId = ProbeForReadUlong(Buffer); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + _SEH2_YIELD(return _SEH2_GetExceptionCode()); + } + _SEH2_END; + } + else + { + SessionId = *(PULONG)Buffer; + } return MmSessionDelete(SessionId); }