[reactos] 02/02: [NTOS:IO] Fix driverName.Buffer leak in some failure paths in IopGetDriverNames(). - Ros-diffs

16 Jun 2021

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=32a82eb123e75544cf6cd9...
commit 32a82eb123e75544cf6cd9341589928bed5be89c
Author:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
AuthorDate: Thu Jun 10 23:11:27 2021 +0200
Commit:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
CommitDate: Wed Jun 16 22:18:02 2021 +0200
[NTOS:IO] Fix driverName.Buffer leak in some failure paths in IopGetDriverNames().
driverName.Buffer leaked when the "(!NT_SUCCESS(status) || ServiceName != NULL)"
    case is taken because ServiceName != NULL, and some of the functions fail.
---
 ntoskrnl/io/iomgr/driver.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c
index f48a85a9705..6a42dd30f7a 100644
--- a/ntoskrnl/io/iomgr/driver.c
+++ b/ntoskrnl/io/iomgr/driver.c
@@ -171,21 +171,22 @@ IopGetDriverNames(
         status = ZwQueryKey(ServiceHandle, KeyBasicInformation, NULL, 0, &infoLength);
         if (status != STATUS_BUFFER_TOO_SMALL)
         {
-            return NT_SUCCESS(status) ? STATUS_UNSUCCESSFUL : status;
+            status = (NT_SUCCESS(status) ? STATUS_UNSUCCESSFUL : status);
+            goto Cleanup;
         }
/* Allocate the buffer and retrieve the data */
         basicInfo = ExAllocatePoolWithTag(PagedPool, infoLength, TAG_IO);
         if (!basicInfo)
         {
-            return STATUS_INSUFFICIENT_RESOURCES;
+            status = STATUS_INSUFFICIENT_RESOURCES;
+            goto Cleanup;
         }
status = ZwQueryKey(ServiceHandle, KeyBasicInformation, basicInfo, infoLength, &infoLength);
         if (!NT_SUCCESS(status))
         {
-            ExFreePoolWithTag(basicInfo, TAG_IO);
-            return status;
+            goto Cleanup;
         }
serviceName.Length = basicInfo->NameLength;
@@ -248,7 +249,6 @@ IopGetDriverNames(
         PWCHAR buf = ExAllocatePoolWithTag(PagedPool, serviceName.Length, TAG_IO);
         if (!buf)
         {
-            ExFreePoolWithTag(driverName.Buffer, TAG_IO);
             status = STATUS_INSUFFICIENT_RESOURCES;
             goto Cleanup;
         }
@@ -265,6 +265,9 @@ Cleanup:
     if (basicInfo)
         ExFreePoolWithTag(basicInfo, TAG_IO);
+    if (!NT_SUCCESS(status) && driverName.Buffer)
+        ExFreePoolWithTag(driverName.Buffer, TAG_IO);
+
     return status;
 }

    