Author: tfaber Date: Sat Sep 22 09:18:34 2012 New Revision: 57360 URL: http://svn.reactos.org/svn/reactos?rev=57360&view=rev Log: [KERNEL32] - Fix buffer overflow in PeekNamedPipe Modified: trunk/reactos/dll/win32/kernel32/client/file/npipe.c Modified: trunk/reactos/dll/win32/kernel32/client/file/npipe.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/client/… ============================================================================== --- trunk/reactos/dll/win32/kernel32/client/file/npipe.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/kernel32/client/file/npipe.c [iso-8859-1] Sat Sep 22 09:18:34 2012 @@ -1173,7 +1173,7 @@ NTSTATUS Status; /* Calculate the buffer space that we'll need and allocate it */ - BufferSize = nBufferSize + sizeof(FILE_PIPE_PEEK_BUFFER); + BufferSize = FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[nBufferSize]); Buffer = RtlAllocateHeap(RtlGetProcessHeap(), 0, BufferSize); if (Buffer == NULL) { @@ -1215,11 +1215,15 @@ /* Check if caller requested bytes available */ if (lpTotalBytesAvail) + { + /* Return bytes available */ *lpTotalBytesAvail = Buffer->ReadDataAvailable; + } /* Calculate the bytes returned, minus our structure overhead */ BytesRead = (ULONG)(Iosb.Information - FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0])); + ASSERT(BytesRead <= nBufferSize); /* Check if caller requested bytes read */ if (lpBytesRead)