[janderwald] 33088: - check input in PNP_GetRootDeviceInstance - fix length check in PNP_GetClassName - allocate device id string dynamically in to avoid a potential buffer overflow - use lstrlenW over wcslen in PnpEventThread
21 Apr
2008
21 Apr
'08
12:08 p.m.
Author: janderwald
Date: Mon Apr 21 07:08:42 2008
New Revision: 33088
URL: http://svn.reactos.org/svn/reactos?rev=33088&view=rev
Log:
- check input in PNP_GetRootDeviceInstance
- fix length check in PNP_GetClassName
- allocate device id string dynamically in to avoid a potential buffer overflow
- use lstrlenW over wcslen in PnpEventThread
Modified:
trunk/reactos/base/services/umpnpmgr/umpnpmgr.c
Modified: trunk/reactos/base/services/umpnpmgr/umpnpmgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/base/services/umpnpmgr/ump…
==============================================================================
--- trunk/reactos/base/services/umpnpmgr/umpnpmgr.c [iso-8859-1] (original)
+++ trunk/reactos/base/services/umpnpmgr/umpnpmgr.c [iso-8859-1] Mon Apr 21 07:08:42 2008
@@ -308,6 +308,11 @@
DPRINT("PNP_GetRootDeviceInstance() called\n");
+ if (!pDeviceID)
+ {
+ ret = CR_INVALID_POINTER;
+ goto Done;
+ }
if (ulLength < lstrlenW(szRootDeviceId) + 1)
{
ret = CR_BUFFER_SMALL;
@@ -891,9 +896,8 @@
DPRINT("PNP_GetClassName() called\n");
- lstrcpyW(szKeyName, L"System\\CurrentControlSet\\Control\\Class");
- lstrcatW(szKeyName, L"\\");
- if(lstrlenW(pszClassGuid) < sizeof(szKeyName)/sizeof(WCHAR)-lstrlenW(szKeyName))
+ lstrcpyW(szKeyName, L"System\\CurrentControlSet\\Control\\Class\\");
+ if(lstrlenW(pszClassGuid) + 1 <
sizeof(szKeyName)/sizeof(WCHAR)-(lstrlenW(szKeyName) * sizeof(WCHAR)))
lstrcatW(szKeyName, pszClassGuid);
else return CR_INVALID_DATA;
@@ -1250,7 +1254,8 @@
HKEY hDeviceKey;
LPWSTR pszSubKey;
DWORD dwDeviceIdListSize;
- WCHAR szDeviceIdList[512];
+ DWORD dwNewDeviceIdSize;
+ WCHAR * pszDeviceIdList = NULL;
UNREFERENCED_PARAMETER(hBinding);
@@ -1271,12 +1276,11 @@
pszSubKey = (ulFlags & CM_ADD_ID_COMPATIBLE) ? L"CompatibleIDs" :
L"HardwareID";
- dwDeviceIdListSize = 512 * sizeof(WCHAR);
if (RegQueryValueExW(hDeviceKey,
pszSubKey,
NULL,
NULL,
- (LPBYTE)szDeviceIdList,
+ NULL,
&dwDeviceIdListSize) != ERROR_SUCCESS)
{
DPRINT("Failed to query the desired ID string!\n");
@@ -1284,8 +1288,37 @@
goto Done;
}
+ dwNewDeviceIdSize = lstrlenW(pszDeviceID);
+ if (!dwNewDeviceIdSize)
+ {
+ ret = CR_INVALID_POINTER;
+ goto Done;
+ }
+
+ dwDeviceIdListSize += (dwNewDeviceIdSize + 2) * sizeof(WCHAR);
+
+ pszDeviceIdList = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwDeviceIdListSize);
+ if (!pszDeviceIdList)
+ {
+ DPRINT("Failed to allocate memory for the desired ID string!\n");
+ ret = CR_OUT_OF_MEMORY;
+ goto Done;
+ }
+
+ if (RegQueryValueExW(hDeviceKey,
+ pszSubKey,
+ NULL,
+ NULL,
+ (LPBYTE)pszDeviceIdList,
+ &dwDeviceIdListSize) != ERROR_SUCCESS)
+ {
+ DPRINT("Failed to query the desired ID string!\n");
+ ret = CR_REGISTRY_ERROR;
+ goto Done;
+ }
+
/* Check whether the device ID is already in use */
- if (CheckForDeviceId(szDeviceIdList, pszDeviceID))
+ if (CheckForDeviceId(pszDeviceIdList, pszDeviceID))
{
DPRINT("Device ID was found in the ID string!\n");
ret = CR_SUCCESS;
@@ -1293,13 +1326,13 @@
}
/* Append the Device ID */
- AppendDeviceId(szDeviceIdList, &dwDeviceIdListSize, pszID);
+ AppendDeviceId(pszDeviceIdList, &dwDeviceIdListSize, pszID);
if (RegSetValueExW(hDeviceKey,
pszSubKey,
0,
REG_MULTI_SZ,
- (LPBYTE)szDeviceIdList,
+ (LPBYTE)pszDeviceIdList,
dwDeviceIdListSize) != ERROR_SUCCESS)
{
DPRINT("Failed to set the desired ID string!\n");
@@ -1308,6 +1341,8 @@
Done:
RegCloseKey(hDeviceKey);
+ if (pszDeviceIdList)
+ HeapFree(GetProcessHeap(), 0, pszDeviceIdList);
DPRINT("PNP_AddID() done (returns %lx)\n", ret);
@@ -2071,22 +2106,26 @@
{
DeviceInstallParams* Params;
DWORD len;
+ DWORD DeviceIdLength;
DPRINT("Device arrival event: %S\n",
PnpEvent->TargetDevice.DeviceIds);
- /* Queue device install (will be dequeued by DeviceInstallThread */
- len = FIELD_OFFSET(DeviceInstallParams, DeviceIds)
- + wcslen(PnpEvent->TargetDevice.DeviceIds) * sizeof(WCHAR) +
sizeof(UNICODE_NULL);
- Params = HeapAlloc(GetProcessHeap(), 0, len);
- if (Params)
+ DeviceIdLength = lstrlenW(PnpEvent->TargetDevice.DeviceIds);
+ if (DeviceIdLength)
{
- wcscpy(Params->DeviceIds, PnpEvent->TargetDevice.DeviceIds);
+ /* Queue device install (will be dequeued by DeviceInstallThread */
+ len = FIELD_OFFSET(DeviceInstallParams, DeviceIds) + (DeviceIdLength + 1)
* sizeof(WCHAR);
+ Params = HeapAlloc(GetProcessHeap(), 0, len);
+ if (Params)
+ {
+ wcscpy(Params->DeviceIds, PnpEvent->TargetDevice.DeviceIds);
#ifdef HAVE_SLIST_ENTRY_IMPLEMENTED
- InterlockedPushEntrySList(&DeviceInstallListHead,
&Params->ListEntry);
+ InterlockedPushEntrySList(&DeviceInstallListHead,
&Params->ListEntry);
#else
- InsertTailList(&DeviceInstallListHead, &Params->ListEntry);
+ InsertTailList(&DeviceInstallListHead,
&Params->ListEntry);
#endif
- SetEvent(hDeviceInstallListNotEmpty);
+ SetEvent(hDeviceInstallListNotEmpty);
+ }
}
}
else
5996
days inactive
5996
days old
0 comments
1 participants
participants (1)
-
janderwald@svn.reactos.org