[reactos] 01/02: [NTOS:CM] Protect user memory access with SEH in NtQueryOpenSubKeys. - Ros-diffs

29 Dec 2019

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=91cc1c3e4f34dd1d54b9ea...
commit 91cc1c3e4f34dd1d54b9ea00017f4b60921b8146
Author:     Thomas Faber thomas.faber@reactos.org
AuthorDate: Sun Dec 29 10:00:59 2019 +0100
Commit:     Thomas Faber thomas.faber@reactos.org
CommitDate: Sun Dec 29 10:41:44 2019 +0100
[NTOS:CM] Protect user memory access with SEH in NtQueryOpenSubKeys.
---
 ntoskrnl/config/ntapi.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/config/ntapi.c b/ntoskrnl/config/ntapi.c
index 824992fe75f..bfe9ffe132f 100644
--- a/ntoskrnl/config/ntapi.c
+++ b/ntoskrnl/config/ntapi.c
@@ -1473,6 +1473,7 @@ NtQueryOpenSubKeys(IN POBJECT_ATTRIBUTES TargetKey,
     PCM_KEY_BODY KeyBody = NULL;
     HANDLE KeyHandle;
     NTSTATUS Status;
+    ULONG SubKeys;
DPRINT("NtQueryOpenSubKeys()\n");
@@ -1543,8 +1544,8 @@ NtQueryOpenSubKeys(IN POBJECT_ATTRIBUTES TargetKey,
     }
/* Call the internal API */
-    *HandleCount = CmpEnumerateOpenSubKeys(KeyBody->KeyControlBlock,
-                                           FALSE, FALSE);
+    SubKeys = CmpEnumerateOpenSubKeys(KeyBody->KeyControlBlock,
+                                      FALSE, FALSE);
/* Unlock the registry */
     CmpUnlockRegistry();
@@ -1552,6 +1553,17 @@ NtQueryOpenSubKeys(IN POBJECT_ATTRIBUTES TargetKey,
     /* Dereference the key object */
     ObDereferenceObject(KeyBody);
+    /* Write back the result */
+    _SEH2_TRY
+    {
+        *HandleCount = SubKeys;
+    }
+    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+    {
+        Status = _SEH2_GetExceptionCode();
+    }
+    _SEH2_END;
+
     DPRINT("Done.\n");
return Status;

    