Author: cgutman Date: Sun Jan 8 06:51:44 2012 New Revision: 54877

URL: http://svn.reactos.org/svn/reactos?rev=54877&view=rev Log: [NDISUIO] - Fix a query binding bug that caused access to unallocated memory [WLANCONF] - Fix parameter parsing and dumb IOCTL_NDISUIO_QUERY_BINDING usage

Modified: branches/wlan-bringup/base/applications/network/wlanconf/wlanconf.c branches/wlan-bringup/drivers/network/ndisuio/ioctl.c

Modified: branches/wlan-bringup/base/applications/network/wlanconf/wlanconf.c URL: http://svn.reactos.org/svn/reactos/branches/wlan-bringup/base/applications/n... ============================================================================== --- branches/wlan-bringup/base/applications/network/wlanconf/wlanconf.c [iso-8859-1] (original) +++ branches/wlan-bringup/base/applications/network/wlanconf/wlanconf.c [iso-8859-1] Sun Jan 8 06:51:44 2012 @@ -132,21 +132,16 @@ return INVALID_HANDLE_VALUE; }

- /* Query for bindable adapters */ - QueryBinding->BindingIndex = 0; - do { - bSuccess = DeviceIoControl(hDriver, - IOCTL_NDISUIO_QUERY_BINDING, - QueryBinding, - QueryBindingSize, - QueryBinding, - QueryBindingSize, - &dwBytesReturned, - NULL); - if (QueryBinding->BindingIndex == Index) - break; - QueryBinding->BindingIndex++; - } while (bSuccess); + /* Query the adapter binding information */ + QueryBinding->BindingIndex = Index; + bSuccess = DeviceIoControl(hDriver, + IOCTL_NDISUIO_QUERY_BINDING, + QueryBinding, + QueryBindingSize, + QueryBinding, + QueryBindingSize, + &dwBytesReturned, + NULL);

if (!bSuccess) { @@ -540,35 +535,46 @@

for (i = 1; i < argc; i++) { - if ((argc > 1) && (argv[i][0] == '-')) - { - TCHAR c; - - while ((c = *++argv[i]) != '\0') + if (argv[i][0] == '-') + { + switch (argv[i][1]) { - switch (c) - { - case 's': - bScan = TRUE; - break; - case 'd': - bDisconnect = TRUE; - break; - case 'c': - bConnect = TRUE; - sSsid = argv[++i]; - break; - case 'w': - sWepKey = argv[++i]; - break; - case 'a': - bAdhoc = TRUE; - break; - default : + case 's': + bScan = TRUE; + break; + case 'd': + bDisconnect = TRUE; + break; + case 'c': + if (i == argc - 1) + { Usage(); return FALSE; - } + } + bConnect = TRUE; + sSsid = argv[++i]; + break; + case 'w': + if (i == argc - 1) + { + Usage(); + return FALSE; + } + sWepKey = argv[++i]; + break; + case 'a': + bAdhoc = TRUE; + break; + default : + Usage(); + return FALSE; } + + } + else + { + Usage(); + return FALSE; } }

Modified: branches/wlan-bringup/drivers/network/ndisuio/ioctl.c URL: http://svn.reactos.org/svn/reactos/branches/wlan-bringup/drivers/network/ndi... ============================================================================== --- branches/wlan-bringup/drivers/network/ndisuio/ioctl.c [iso-8859-1] (original) +++ branches/wlan-bringup/drivers/network/ndisuio/ioctl.c [iso-8859-1] Sun Jan 8 06:51:44 2012 @@ -33,7 +33,7 @@ NTSTATUS QueryBinding(PIRP Irp, PIO_STACK_LOCATION IrpSp) { - PNDISUIO_ADAPTER_CONTEXT AdapterContext; + PNDISUIO_ADAPTER_CONTEXT AdapterContext = NULL; PNDISUIO_QUERY_BINDING QueryBinding = Irp->AssociatedIrp.SystemBuffer; ULONG BindingLength = IrpSp->Parameters.DeviceIoControl.InputBufferLength; NTSTATUS Status; @@ -50,14 +50,16 @@ while (CurrentEntry != &GlobalAdapterList) { if (i == QueryBinding->BindingIndex) + { + AdapterContext = CONTAINING_RECORD(CurrentEntry, NDISUIO_ADAPTER_CONTEXT, ListEntry); break; + } i++; CurrentEntry = CurrentEntry->Flink; } KeReleaseSpinLock(&GlobalAdapterListLock, OldIrql); - if (i == QueryBinding->BindingIndex) - { - AdapterContext = CONTAINING_RECORD(CurrentEntry, NDISUIO_ADAPTER_CONTEXT, ListEntry); + if (AdapterContext) + { DPRINT("Query binding for index %d is adapter %wZ\n", i, &AdapterContext->DeviceName); BytesCopied = sizeof(NDISUIO_QUERY_BINDING); if (AdapterContext->DeviceName.Length <= BindingLength - BytesCopied)