Author: tfaber Date: Fri Apr 10 10:10:28 2015 New Revision: 67129 URL: http://svn.reactos.org/svn/reactos?rev=67129&view=rev Log: [NTOS:PNP] - Add missing SEH/Probe in NtGetPlugPlayEvent and IopGetInterfaceDeviceList, and correctly copy the interface list. Patch by Stephan Röger. CORE-9498 #resolve Modified: trunk/reactos/ntoskrnl/io/pnpmgr/plugplay.c Modified: trunk/reactos/ntoskrnl/io/pnpmgr/plugplay.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/pnpmgr/plugpla… ============================================================================== --- trunk/reactos/ntoskrnl/io/pnpmgr/plugplay.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/io/pnpmgr/plugplay.c [iso-8859-1] Fri Apr 10 10:10:28 2015 @@ -214,22 +214,23 @@ IopGetInterfaceDeviceList(PPLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA DeviceList) { NTSTATUS Status; + PLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA StackList; UNICODE_STRING DeviceInstance; PDEVICE_OBJECT DeviceObject = NULL; - ULONG BufferSize = 0; GUID FilterGuid; PZZWSTR SymbolicLinkList = NULL, LinkList; - ULONG TotalLength = 0; + ULONG TotalLength; _SEH2_TRY { - ProbeForRead(DeviceList->FilterGuid, sizeof(GUID), sizeof(UCHAR)); - RtlCopyMemory(&FilterGuid, DeviceList->FilterGuid, sizeof(GUID)); - - if (DeviceList->Buffer != NULL && DeviceList->BufferSize != 0) - { - BufferSize = DeviceList->BufferSize; - ProbeForWrite(DeviceList->Buffer, BufferSize, sizeof(UCHAR)); + RtlCopyMemory(&StackList, DeviceList, sizeof(PLUGPLAY_CONTROL_INTERFACE_DEVICE_LIST_DATA)); + + ProbeForRead(StackList.FilterGuid, sizeof(GUID), sizeof(UCHAR)); + RtlCopyMemory(&FilterGuid, StackList.FilterGuid, sizeof(GUID)); + + if (StackList.Buffer != NULL && StackList.BufferSize != 0) + { + ProbeForWrite(StackList.Buffer, StackList.BufferSize, sizeof(UCHAR)); } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) @@ -238,8 +239,7 @@ } _SEH2_END; - - Status = IopCaptureUnicodeString(&DeviceInstance, &DeviceList->DeviceInstance); + Status = IopCaptureUnicodeString(&DeviceInstance, &StackList.DeviceInstance); if (NT_SUCCESS(Status)) { /* Get the device object */ @@ -247,7 +247,7 @@ ExFreePool(DeviceInstance.Buffer); } - Status = IoGetDeviceInterfaces(&FilterGuid, DeviceObject, DeviceList->Flags, &SymbolicLinkList); + Status = IoGetDeviceInterfaces(&FilterGuid, DeviceObject, StackList.Flags, &SymbolicLinkList); ObDereferenceObject(DeviceObject); if (!NT_SUCCESS(Status)) @@ -259,16 +259,28 @@ LinkList = SymbolicLinkList; while (*SymbolicLinkList != UNICODE_NULL) { - TotalLength += (wcslen(SymbolicLinkList) + 1) * sizeof(WCHAR); SymbolicLinkList += wcslen(SymbolicLinkList) + (sizeof(UNICODE_NULL) / sizeof(WCHAR)); } - TotalLength += sizeof(UNICODE_NULL); - - if (BufferSize >= TotalLength) - { - RtlCopyMemory(DeviceList->Buffer, SymbolicLinkList, TotalLength * sizeof(WCHAR)); - } - DeviceList->BufferSize = TotalLength; + TotalLength = ((SymbolicLinkList - LinkList + 1) * sizeof(WCHAR)); + + _SEH2_TRY + { + if (StackList.Buffer != NULL && + StackList.BufferSize >= TotalLength) + { + // We've already probed the buffer for writing above. + RtlCopyMemory(StackList.Buffer, LinkList, TotalLength); + } + + DeviceList->BufferSize = TotalLength; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + ExFreePool(LinkList); + _SEH2_YIELD(return _SEH2_GetExceptionCode()); + } + _SEH2_END; + ExFreePool(LinkList); return STATUS_SUCCESS; } @@ -831,9 +843,20 @@ } /* Copy event data to the user buffer */ - memcpy(Buffer, - &Entry->Event, - Entry->Event.TotalSize); + _SEH2_TRY + { + ProbeForWrite(Buffer, + Entry->Event.TotalSize, + sizeof(UCHAR)); + RtlCopyMemory(Buffer, + &Entry->Event, + Entry->Event.TotalSize); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + _SEH2_YIELD(return _SEH2_GetExceptionCode()); + } + _SEH2_END; DPRINT("NtGetPlugPlayEvent() done\n");