[reactos] 05/09: [NTOS:CM] Avoid a fixed-length stack buffer in CmpAddToHiveFileList. CORE-15882 - Ros-diffs

5 May 2019

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=26ab9f8a037475d5434038...
commit 26ab9f8a037475d5434038c52cf84f25ac4d59d3
Author:     Thomas Faber thomas.faber@reactos.org
AuthorDate: Mon Apr 15 12:10:23 2019 +0200
Commit:     Thomas Faber thomas.faber@reactos.org
CommitDate: Sun May 5 10:39:14 2019 +0200
[NTOS:CM] Avoid a fixed-length stack buffer in CmpAddToHiveFileList. CORE-15882
---
 ntoskrnl/config/cmhvlist.c | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/ntoskrnl/config/cmhvlist.c b/ntoskrnl/config/cmhvlist.c
index 25f8414052..8a4009303d 100644
--- a/ntoskrnl/config/cmhvlist.c
+++ b/ntoskrnl/config/cmhvlist.c
@@ -134,11 +134,11 @@ CmpAddToHiveFileList(IN PCMHIVE Hive)
     HANDLE KeyHandle;
     UNICODE_STRING HivePath;
     PWCHAR FilePath;
-    UCHAR Buffer[sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH * sizeof(WCHAR)];
-    ULONG Length = sizeof(Buffer);
-    POBJECT_NAME_INFORMATION FileNameInfo = (POBJECT_NAME_INFORMATION)Buffer;
+    ULONG Length;
+    POBJECT_NAME_INFORMATION FileNameInfo;
HivePath.Buffer = NULL;
+    FileNameInfo = NULL;
/* Create or open the hive list key */
     InitializeObjectAttributes(&ObjectAttributes,
@@ -172,6 +172,27 @@ CmpAddToHiveFileList(IN PCMHIVE Hive)
     /* Get the name of the corresponding file */
     if (!(Hive->Hive.HiveFlags & HIVE_VOLATILE))
     {
+        /* Determine the right buffer size and allocate */
+        Status = ZwQueryObject(Hive->FileHandles[HFILE_TYPE_PRIMARY],
+                               ObjectNameInformation,
+                               NULL,
+                               0,
+                               &Length);
+        if (Status != STATUS_BUFFER_TOO_SMALL)
+        {
+            DPRINT1("CmpAddToHiveFileList: Hive file name size query failed, status = 0x%08lx\n", Status);
+            goto Quickie;
+        }
+
+        FileNameInfo = ExAllocatePoolWithTag(PagedPool,
+                                             Length + sizeof(UNICODE_NULL),
+                                             TAG_CM);
+        if (FileNameInfo == NULL)
+        {
+            Status = STATUS_INSUFFICIENT_RESOURCES;
+            goto Quickie;
+        }
+    
         /* Try to get the value */
         Status = ZwQueryObject(Hive->FileHandles[HFILE_TYPE_PRIMARY],
                                ObjectNameInformation,
@@ -215,7 +236,14 @@ CmpAddToHiveFileList(IN PCMHIVE Hive)
Quickie:
     /* Cleanup and return status */
-    if (HivePath.Buffer) ExFreePoolWithTag(HivePath.Buffer, TAG_CM);
+    if (HivePath.Buffer)
+    {
+        ExFreePoolWithTag(HivePath.Buffer, TAG_CM);
+    }
+    if (FileNameInfo)
+    {
+        ExFreePoolWithTag(FileNameInfo, TAG_CM);
+    }
     ObCloseHandle(KeyHandle, KernelMode);
     return Status;
 }

    