[fireball] 31331: - Fix dangerous passing of possibly unterminated wide string to RtlQueryRegistryValues (by opening the keys and passing handle instead). - Fix incorrect string operation (assuming that the string is terminated). Spotted by hpoussin. - Ros-diffs

19 Dec 2007

Author: fireball
Date: Wed Dec 19 20:46:58 2007
New Revision: 31331
URL: http://svn.reactos.org/svn/reactos?rev=31331&view=rev
Log:
- Fix dangerous passing of possibly unterminated wide string to RtlQueryRegistryValues (by opening the keys and passing handle instead).
- Fix incorrect string operation (assuming that the string is terminated). Spotted by hpoussin.
Modified:
    trunk/reactos/ntoskrnl/io/iomgr/driver.c
Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/driver.c?...
==============================================================================

--- trunk/reactos/ntoskrnl/io/iomgr/driver.c (original)
+++ trunk/reactos/ntoskrnl/io/iomgr/driver.c Wed Dec 19 20:46:58 2007
@@ -268,8 +268,10 @@
 {
    RTL_QUERY_REGISTRY_TABLE QueryTable[3];
    ULONG ServiceStart;
-   UNICODE_STRING ServiceImagePath;
+   UNICODE_STRING ServiceImagePath, CCSName;
    NTSTATUS Status;
+   OBJECT_ATTRIBUTES ObjectAttributes;
+   HANDLE CCSKey, ServiceKey;
DPRINT("IopLoadServiceModule(%wZ, 0x%p)\n", ServiceName, ModuleObject);
@@ -277,6 +279,36 @@
    if (ServiceName->Buffer == NULL)
       return STATUS_UNSUCCESSFUL;
+   /* Open CurrentControlSet */
+   RtlInitUnicodeString(&CCSName,
+                        L"\Registry\Machine\SYSTEM\CurrentControlSet\Services");
+   InitializeObjectAttributes(&ObjectAttributes,
+       &CCSName,
+       OBJ_CASE_INSENSITIVE,
+       NULL,
+       NULL);
+   Status = ZwOpenKey(&CCSKey, KEY_READ, &ObjectAttributes);
+
+   if (!NT_SUCCESS(Status))
+   {
+       DPRINT1("ZwOpenKey() failed with Status %08X\n", Status);
+       return Status;
+   }
+
+   /* Open service key */
+   InitializeObjectAttributes(&ObjectAttributes,
+       ServiceName,
+       OBJ_CASE_INSENSITIVE,
+       CCSKey,
+       NULL);
+   Status = ZwOpenKey(&ServiceKey, KEY_READ, &ObjectAttributes);
+   if (!NT_SUCCESS(Status))
+   {
+       DPRINT1("ZwOpenKey() failed with Status %08X\n", Status);
+       ZwClose(CCSKey);
+       return Status;
+   }
+
    /*
     * Get information about the service.
     */
@@ -293,12 +325,15 @@
    QueryTable[1].Flags = RTL_QUERY_REGISTRY_DIRECT;
    QueryTable[1].EntryContext = &ServiceImagePath;
-   Status = RtlQueryRegistryValues(RTL_REGISTRY_SERVICES,
-      ServiceName->Buffer, QueryTable, NULL, NULL);
+   Status = RtlQueryRegistryValues(RTL_REGISTRY_HANDLE,
+      (PWSTR)ServiceKey, QueryTable, NULL, NULL);
+
+   ZwClose(ServiceKey);
+   ZwClose(CCSKey);
if (!NT_SUCCESS(Status))
    {
-      DPRINT("RtlQueryRegistryValues() failed (Status %x)\n", Status);
+      DPRINT1("RtlQueryRegistryValues() failed (Status %x)\n", Status);
       return Status;
    }
@@ -412,9 +447,12 @@
          wcscpy(NameBuffer, FILESYSTEM_ROOT_NAME);
       else
          wcscpy(NameBuffer, DRIVER_ROOT_NAME);
-      wcscat(NameBuffer, ServiceName->Buffer);
RtlInitUnicodeString(&DriverName, NameBuffer);
+      DriverName.MaximumLength = sizeof(NameBuffer);
+
+      RtlAppendUnicodeStringToString(&DriverName, ServiceName);
+
       DPRINT("Driver name: '%wZ'\n", &DriverName);
    }
    else

    