https://git.reactos.org/?p=reactos.git;a=commitdiff;h=93b0957641f1b8c831152aa6fdfc43e2d528f9b4
commit 93b0957641f1b8c831152aa6fdfc43e2d528f9b4 Author: Pierre Schweitzer <[email protected]> AuthorDate: Sat Feb 16 09:00:06 2019 +0100 Commit: Pierre Schweitzer <[email protected]> CommitDate: Sat Feb 16 09:00:06 2019 +0100 [IPHLPAPI] Check pointers when returning module info from specific connection --- dll/win32/iphlpapi/iphlpapi_main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/dll/win32/iphlpapi/iphlpapi_main.c b/dll/win32/iphlpapi/iphlpapi_main.c index 83d53d2b10..5993c74f98 100644 --- a/dll/win32/iphlpapi/iphlpapi_main.c +++ b/dll/win32/iphlpapi/iphlpapi_main.c @@ -2293,6 +2293,12 @@ static DWORD GetOwnerModuleFromPidEntry(DWORD OwningPid, TCPIP_OWNER_MODULE_INFO WCHAR File[MAX_PATH], Path[MAX_PATH]; PTCPIP_OWNER_MODULE_BASIC_INFO BasicInfo; + if (IsBadWritePtr(pdwSize, sizeof(DWORD)) || + IsBadWritePtr(Buffer, *pdwSize)) + { + return ERROR_INVALID_PARAMETER; + } + if (OwningPid == 0) { return ERROR_NOT_FOUND; @@ -2363,6 +2369,12 @@ static DWORD GetOwnerModuleFromTagEntry(DWORD OwningPid, DWORD OwningTag, TCPIP_ PWSTR Buffer; } ServiceQuery; + if (IsBadWritePtr(pdwSize, sizeof(DWORD)) || + IsBadWritePtr(Buffer, *pdwSize)) + { + return ERROR_INVALID_PARAMETER; + } + /* First, secure (avoid injections) load advapi32.dll */ Size = GetSystemDirectoryW(SysDir, MAX_PATH); if (Size == 0)
