[reactos] 05/09: [NTOS:CM] Avoid a fixed-length stack buffer in CmpAddToHiveFileList. CORE-15882
5 May
2019
5 May
'19
8:45 a.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=26ab9f8a037475d543403…
commit 26ab9f8a037475d5434038c52cf84f25ac4d59d3
Author: Thomas Faber <thomas.faber(a)reactos.org>
AuthorDate: Mon Apr 15 12:10:23 2019 +0200
Commit: Thomas Faber <thomas.faber(a)reactos.org>
CommitDate: Sun May 5 10:39:14 2019 +0200
[NTOS:CM] Avoid a fixed-length stack buffer in CmpAddToHiveFileList. CORE-15882
---
ntoskrnl/config/cmhvlist.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/ntoskrnl/config/cmhvlist.c b/ntoskrnl/config/cmhvlist.c
index 25f8414052..8a4009303d 100644
--- a/ntoskrnl/config/cmhvlist.c
+++ b/ntoskrnl/config/cmhvlist.c
@@ -134,11 +134,11 @@ CmpAddToHiveFileList(IN PCMHIVE Hive)
HANDLE KeyHandle;
UNICODE_STRING HivePath;
PWCHAR FilePath;
- UCHAR Buffer[sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH * sizeof(WCHAR)];
- ULONG Length = sizeof(Buffer);
- POBJECT_NAME_INFORMATION FileNameInfo = (POBJECT_NAME_INFORMATION)Buffer;
+ ULONG Length;
+ POBJECT_NAME_INFORMATION FileNameInfo;
HivePath.Buffer = NULL;
+ FileNameInfo = NULL;
/* Create or open the hive list key */
InitializeObjectAttributes(&ObjectAttributes,
@@ -172,6 +172,27 @@ CmpAddToHiveFileList(IN PCMHIVE Hive)
/* Get the name of the corresponding file */
if (!(Hive->Hive.HiveFlags & HIVE_VOLATILE))
{
+ /* Determine the right buffer size and allocate */
+ Status = ZwQueryObject(Hive->FileHandles[HFILE_TYPE_PRIMARY],
+ ObjectNameInformation,
+ NULL,
+ 0,
+ &Length);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ {
+ DPRINT1("CmpAddToHiveFileList: Hive file name size query failed, status
= 0x%08lx\n", Status);
+ goto Quickie;
+ }
+
+ FileNameInfo = ExAllocatePoolWithTag(PagedPool,
+ Length + sizeof(UNICODE_NULL),
+ TAG_CM);
+ if (FileNameInfo == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto Quickie;
+ }
+
/* Try to get the value */
Status = ZwQueryObject(Hive->FileHandles[HFILE_TYPE_PRIMARY],
ObjectNameInformation,
@@ -215,7 +236,14 @@ CmpAddToHiveFileList(IN PCMHIVE Hive)
Quickie:
/* Cleanup and return status */
- if (HivePath.Buffer) ExFreePoolWithTag(HivePath.Buffer, TAG_CM);
+ if (HivePath.Buffer)
+ {
+ ExFreePoolWithTag(HivePath.Buffer, TAG_CM);
+ }
+ if (FileNameInfo)
+ {
+ ExFreePoolWithTag(FileNameInfo, TAG_CM);
+ }
ObCloseHandle(KeyHandle, KernelMode);
return Status;
}
2062
days inactive
2062
days old
0 comments
1 participants
participants (1)
-
Thomas Faber