https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0ddf0a06c35ce39f330564...

commit 0ddf0a06c35ce39f330564f896d45611731bb74b Author: Erdem Ersoy erdemersoy@erdemersoy.net AuthorDate: Sun Mar 8 21:36:07 2020 +0300 Commit: GitHub noreply@github.com CommitDate: Sun Mar 8 19:36:07 2020 +0100

[TRACERT] Fix undefined behavior by fixing ReplyBuffer size. (#2422)

CORE-16620 --- base/applications/network/tracert/tracert.cpp | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/base/applications/network/tracert/tracert.cpp b/base/applications/network/tracert/tracert.cpp index da026a65d00..1cabd0a2dd0 100644 --- a/base/applications/network/tracert/tracert.cpp +++ b/base/applications/network/tracert/tracert.cpp @@ -377,31 +377,31 @@ RunTraceRoute() }

BYTE SendBuffer[PACKET_SIZE]; - ICMPV6_ECHO_REPLY ReplyBufferv6; -#ifdef _WIN64 - ICMP_ECHO_REPLY32 ReplyBufferv432; -#else - ICMP_ECHO_REPLY ReplyBufferv4; -#endif + PVOID ReplyBuffer;

DWORD ReplySize = PACKET_SIZE + SIZEOF_ICMP_ERROR + SIZEOF_IO_STATUS_BLOCK; if (Info.Family == AF_INET6) { - ReplyBuffer = &ReplyBufferv6; ReplySize += sizeof(ICMPV6_ECHO_REPLY); } else { #ifdef _WIN64 - ReplyBuffer = &ReplyBufferv432; ReplySize += sizeof(ICMP_ECHO_REPLY32); #else - ReplyBuffer = &ReplyBufferv4; ReplySize += sizeof(ICMP_ECHO_REPLY); #endif }

+ HANDLE heap = GetProcessHeap(); + ReplyBuffer = HeapAlloc(heap, HEAP_ZERO_MEMORY, ReplySize); + if (ReplyBuffer == NULL) + { + FreeAddrInfoW(Info.Target); + return false; + } + if (Info.Family == AF_INET6) { Info.hIcmpFile = Icmp6CreateFile(); @@ -412,6 +412,7 @@ RunTraceRoute() } if (Info.hIcmpFile == INVALID_HANDLE_VALUE) { + HeapFree(heap, 0, ReplyBuffer); FreeAddrInfoW(Info.Target); return false; } @@ -486,6 +487,7 @@ RunTraceRoute()

OutputText(IDS_TRACE_COMPLETE);

+ HeapFree(heap, 0, ReplyBuffer); FreeAddrInfoW(Info.Target); if (Info.hIcmpFile) {