[ros-diffs] [reactos] 02/09: [NTOS:IO] Avoid a fixed-length buffer in IopGetDriverObject. CORE-15882

Sun, 05 May 2019 01:46:05 -0700 

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=e1b20681f53e3ea098eaa75ef95443d1316c0b95

commit e1b20681f53e3ea098eaa75ef95443d1316c0b95
Author:     Thomas Faber <[email protected]>
AuthorDate: Sun Mar 24 14:47:59 2019 +0100
Commit:     Thomas Faber <[email protected]>
CommitDate: Sun May 5 10:39:01 2019 +0200

    [NTOS:IO] Avoid a fixed-length buffer in IopGetDriverObject. CORE-15882
---
 ntoskrnl/io/iomgr/driver.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c
index 9bbbb2cda7..49422e003a 100644
--- a/ntoskrnl/io/iomgr/driver.c
+++ b/ntoskrnl/io/iomgr/driver.c
@@ -108,7 +108,7 @@ IopGetDriverObject(
     BOOLEAN FileSystem)
 {
     PDRIVER_OBJECT Object;
-    WCHAR NameBuffer[MAX_PATH];
+    UNICODE_STRING Prefix;
     UNICODE_STRING DriverName;
     NTSTATUS Status;
 
@@ -123,14 +123,20 @@ IopGetDriverObject(
         /* We don't know which DriverObject we have to open */
         return STATUS_INVALID_PARAMETER_2;
 
-    DriverName.Buffer = NameBuffer;
-    DriverName.Length = 0;
-    DriverName.MaximumLength = sizeof(NameBuffer);
-
     if (FileSystem != FALSE)
-        RtlAppendUnicodeToString(&DriverName, FILESYSTEM_ROOT_NAME);
+        RtlInitUnicodeString(&Prefix, FILESYSTEM_ROOT_NAME);
     else
-        RtlAppendUnicodeToString(&DriverName, DRIVER_ROOT_NAME);
+        RtlInitUnicodeString(&Prefix, DRIVER_ROOT_NAME);
+
+    DriverName.Length = 0;
+    DriverName.MaximumLength = Prefix.Length + ServiceName->Length + 
sizeof(UNICODE_NULL);
+    ASSERT(DriverName.MaximumLength > ServiceName->Length);
+    DriverName.Buffer = ExAllocatePoolWithTag(PagedPool, 
DriverName.MaximumLength, TAG_IO);
+    if (DriverName.Buffer == NULL)
+    {
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+    RtlAppendUnicodeStringToString(&DriverName, &Prefix);
     RtlAppendUnicodeStringToString(&DriverName, ServiceName);
 
     DPRINT("Driver name: '%wZ'\n", &DriverName);
@@ -144,6 +150,7 @@ IopGetDriverObject(
                                      KernelMode,
                                      NULL, /* ParseContext */
                                      (PVOID*)&Object);
+    ExFreePoolWithTag(DriverName.Buffer, TAG_IO);
     if (!NT_SUCCESS(Status))
     {
         DPRINT("Failed to reference driver object, status=0x%08x\n", Status);

Reply via email to