https://git.reactos.org/?p=reactos.git;a=commitdiff;h=d570482bc72241156261f35cacb96b1405138412
commit d570482bc72241156261f35cacb96b1405138412 Author: Thomas Faber <[email protected]> AuthorDate: Wed Apr 17 09:37:37 2019 +0200 Commit: Thomas Faber <[email protected]> CommitDate: Sun May 5 10:39:18 2019 +0200 [NTOS:CM] Avoid a fixed-length stack buffer in CmpCmdHiveOpen. CORE-15882 --- ntoskrnl/config/cmlazy.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/ntoskrnl/config/cmlazy.c b/ntoskrnl/config/cmlazy.c index 8093c61bd5..9376076652 100644 --- a/ntoskrnl/config/cmlazy.c +++ b/ntoskrnl/config/cmlazy.c @@ -278,9 +278,8 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes, NTSTATUS Status; UNICODE_STRING FileName; PWCHAR FilePath; - UCHAR Buffer[sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH * sizeof(WCHAR)]; - ULONG Length = sizeof(Buffer); - POBJECT_NAME_INFORMATION FileNameInfo = (POBJECT_NAME_INFORMATION)Buffer; + ULONG Length; + POBJECT_NAME_INFORMATION FileNameInfo; PAGED_CODE(); @@ -297,6 +296,27 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes, return STATUS_OBJECT_PATH_SYNTAX_BAD; } + /* Determine the right buffer size and allocate */ + Status = ZwQueryObject(FileAttributes->RootDirectory, + ObjectNameInformation, + NULL, + 0, + &Length); + if (Status != STATUS_BUFFER_TOO_SMALL) + { + DPRINT1("CmpCmdHiveOpen(): Root directory handle object name size query failed, Status = 0x%08lx\n", Status); + return Status; + } + + FileNameInfo = ExAllocatePoolWithTag(PagedPool, + Length + sizeof(UNICODE_NULL), + TAG_CM); + if (FileNameInfo == NULL) + { + DPRINT1("CmpCmdHiveOpen(): Unable to allocate memory\n"); + return STATUS_INSUFFICIENT_RESOURCES; + } + /* Try to get the value */ Status = ZwQueryObject(FileAttributes->RootDirectory, ObjectNameInformation, @@ -307,6 +327,7 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes, { /* Fail */ DPRINT1("CmpCmdHiveOpen(): Root directory handle object name query failed, Status = 0x%08lx\n", Status); + ExFreePoolWithTag(FileNameInfo, TAG_CM); return Status; } @@ -321,6 +342,7 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes, if (Length > MAXUSHORT) { /* Name size too long, bail out */ + ExFreePoolWithTag(FileNameInfo, TAG_CM); return STATUS_OBJECT_PATH_INVALID; } @@ -331,10 +353,12 @@ CmpCmdHiveOpen(IN POBJECT_ATTRIBUTES FileAttributes, { /* Fail */ DPRINT1("CmpCmdHiveOpen(): Unable to allocate memory\n"); + ExFreePoolWithTag(FileNameInfo, TAG_CM); return STATUS_INSUFFICIENT_RESOURCES; } FileName.MaximumLength = Length; RtlCopyUnicodeString(&FileName, &FileNameInfo->Name); + ExFreePoolWithTag(FileNameInfo, TAG_CM); /* * Append a path terminator if needed (we have already accounted
