https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a748350fc9c342149e7f8d...

commit a748350fc9c342149e7f8dc798a6c696f4ec9ef3 Author: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org AuthorDate: Sun Dec 27 00:33:32 2020 +0100 Commit: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org CommitDate: Sun Dec 27 00:52:00 2020 +0100

[NTOS:IO] Fail if the driver name passed to NtLoadDriver() is an empty string.

Otherwise an assertion on the driver name is hit later on. Can be reproduced by calling NtLoadDriver with a valid UNICODE_STRING of Length == 0. --- ntoskrnl/io/iomgr/driver.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c index 9f7d5ed5aba..3b033f9ab32 100644 --- a/ntoskrnl/io/iomgr/driver.c +++ b/ntoskrnl/io/iomgr/driver.c @@ -1251,7 +1251,7 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers) DPRINT("IopUnloadDriver('%wZ', %u)\n", &CapturedServiceName, UnloadPnpDrivers);

/* We need a service name */ - if (CapturedServiceName.Length == 0) + if (CapturedServiceName.Length == 0 || CapturedServiceName.Buffer == NULL) { ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode); return STATUS_INVALID_PARAMETER; @@ -2161,6 +2161,13 @@ NtLoadDriver(IN PUNICODE_STRING DriverServiceName)

DPRINT("NtLoadDriver('%wZ')\n", &CapturedServiceName);

+ /* We need a service name */ + if (CapturedServiceName.Length == 0 || CapturedServiceName.Buffer == NULL) + { + ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode); + return STATUS_INVALID_PARAMETER; + } + /* Load driver and call its entry point */ DriverObject = NULL; Status = IopLoadUnloadDriver(&CapturedServiceName, &DriverObject);