[tkreuzer] 64903: [NTOSKRNL] - Fix potential use-after-free CID 732509 - Fix buffer size in call to ObQueryNameString - Ros-diffs

22 Oct 2014

Author: tkreuzer
Date: Wed Oct 22 19:20:03 2014
New Revision: 64903
URL: http://svn.reactos.org/svn/reactos?rev=64903&view=rev
Log:
[NTOSKRNL]
- Fix potential use-after-free CID 732509
- Fix buffer size in call to ObQueryNameString
Modified:
    trunk/reactos/ntoskrnl/io/iomgr/error.c
Modified: trunk/reactos/ntoskrnl/io/iomgr/error.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/error.c?r...
==============================================================================

--- trunk/reactos/ntoskrnl/io/iomgr/error.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/io/iomgr/error.c	[iso-8859-1] Wed Oct 22 19:20:03 2014
@@ -310,11 +310,9 @@
             /* We do, query its name */
             Status = ObQueryNameString(LogEntry->DeviceObject,
                                        ObjectNameInfo,
-                                       sizeof(OBJECT_NAME_INFORMATION) +
-                                       100 -
-                                       DriverNameLength,
+                                       sizeof(Buffer),
                                        &ReturnedLength);
-            if ((!NT_SUCCESS(Status)) || !(ObjectNameInfo->Name.Length))
+            if (!NT_SUCCESS(Status) || (ObjectNameInfo->Name.Length == 0))
             {
                 /* Setup an empty name */
                 ObjectNameInfo->Name.Length = 0;
@@ -371,6 +369,7 @@
         {
             ExFreePool(PoolObjectNameInfo);
             PoolObjectNameInfo = NULL;
+            ObjectNameInfo = (POBJECT_NAME_INFORMATION)&Buffer;
         }
/* Go to the next string buffer position */

    