Author: tkreuzer
Date: Wed Jan 25 16:45:42 2012
New Revision: 55173
URL: http://svn.reactos.org/svn/reactos?rev=55173&view=rev
Log:
[FREELDR]
Fix wrong buffer size calculation that could lead to memory corruption
Kudos go to Jardar for debugging the issue.
Modified:
trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c
Modified: trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c?rev=55173&r1=55172&r2=55173&view=diff
==============================================================================
--- trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c [iso-8859-1]
(original)
+++ trunk/reactos/boot/freeldr/freeldr/arch/i386/hardware.c [iso-8859-1] Wed
Jan 25 16:45:42 2012
@@ -250,7 +250,8 @@
TRACE("Estimated buffer size %u\n", NodeSize * NodeCount);
/* Set 'Configuration Data' value */
- Size = sizeof(CM_PARTIAL_RESOURCE_LIST) + (NodeSize * NodeCount);
+ Size = sizeof(CM_PARTIAL_RESOURCE_LIST)
+ + sizeof(CM_PNP_BIOS_INSTALLATION_CHECK) + (NodeSize * NodeCount);
PartialResourceList = MmHeapAlloc(Size);
if (PartialResourceList == NULL)
{
@@ -268,8 +269,8 @@
PartialResourceList->PartialDescriptors[0].ShareDisposition =
CmResourceShareUndetermined;
- Ptr = (char *)(((ULONG_PTR)&PartialResourceList->PartialDescriptors[0]) +
- sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR));
+ /* The buffer starts after PartialResourceList->PartialDescriptors[0] */
+ Ptr = (char *)(PartialResourceList + 1);
/* Set instalation check data */
memcpy (Ptr, InstData, sizeof(CM_PNP_BIOS_INSTALLATION_CHECK));
@@ -291,6 +292,12 @@
DeviceNode->Node,
DeviceNode->Size,
DeviceNode->Size);
+
+ if (PnpBufferSize + DeviceNode->Size > Size)
+ {
+ ERR("Buffer too small!\n");
+ break;
+ }
memcpy (Ptr,
DeviceNode,
