https://git.reactos.org/?p=reactos.git;a=commitdiff;h=91cc1c3e4f34dd1d54b9e… commit 91cc1c3e4f34dd1d54b9ea00017f4b60921b8146 Author: Thomas Faber <thomas.faber(a)reactos.org> AuthorDate: Sun Dec 29 10:00:59 2019 +0100 Commit: Thomas Faber <thomas.faber(a)reactos.org> CommitDate: Sun Dec 29 10:41:44 2019 +0100 [NTOS:CM] Protect user memory access with SEH in NtQueryOpenSubKeys. --- ntoskrnl/config/ntapi.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/ntoskrnl/config/ntapi.c b/ntoskrnl/config/ntapi.c index 824992fe75f..bfe9ffe132f 100644 --- a/ntoskrnl/config/ntapi.c +++ b/ntoskrnl/config/ntapi.c @@ -1473,6 +1473,7 @@ NtQueryOpenSubKeys(IN POBJECT_ATTRIBUTES TargetKey, PCM_KEY_BODY KeyBody = NULL; HANDLE KeyHandle; NTSTATUS Status; + ULONG SubKeys; DPRINT("NtQueryOpenSubKeys()\n"); @@ -1543,8 +1544,8 @@ NtQueryOpenSubKeys(IN POBJECT_ATTRIBUTES TargetKey, } /* Call the internal API */ - *HandleCount = CmpEnumerateOpenSubKeys(KeyBody->KeyControlBlock, - FALSE, FALSE); + SubKeys = CmpEnumerateOpenSubKeys(KeyBody->KeyControlBlock, + FALSE, FALSE); /* Unlock the registry */ CmpUnlockRegistry(); @@ -1552,6 +1553,17 @@ NtQueryOpenSubKeys(IN POBJECT_ATTRIBUTES TargetKey, /* Dereference the key object */ ObDereferenceObject(KeyBody); + /* Write back the result */ + _SEH2_TRY + { + *HandleCount = SubKeys; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + DPRINT("Done.\n"); return Status;