https://git.reactos.org/?p=reactos.git;a=commitdiff;h=bd7121862a58f1dd10587fab67a8479b0d834207
commit bd7121862a58f1dd10587fab67a8479b0d834207 Author: Thomas Faber <[email protected]> AuthorDate: Sat Jan 11 14:08:20 2020 +0100 Commit: Thomas Faber <[email protected]> CommitDate: Sat Jan 11 14:10:55 2020 +0100 [NTFS] Fix use after free in failure case of NtfsMountVolume. NtfsGetVolumeData frees FileRecLookasideList in case of failure, so don't free it again. Dereferencing NewDeviceObject invalidates Vcb. --- drivers/filesystems/ntfs/fsctl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/filesystems/ntfs/fsctl.c b/drivers/filesystems/ntfs/fsctl.c index a8c2a425619..a08a227c3dd 100644 --- a/drivers/filesystems/ntfs/fsctl.c +++ b/drivers/filesystems/ntfs/fsctl.c @@ -452,8 +452,6 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject, if (!NT_SUCCESS(Status)) goto ByeBye; - Lookaside = TRUE; - NewDeviceObject->Flags |= DO_DIRECT_IO; Vcb = (PVOID)NewDeviceObject->DeviceExtension; RtlZeroMemory(Vcb, sizeof(NTFS_VCB)); @@ -466,6 +464,8 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject, if (!NT_SUCCESS(Status)) goto ByeBye; + Lookaside = TRUE; + NewDeviceObject->Vpb = DeviceToMount->Vpb; Vcb->StorageDevice = DeviceToMount; @@ -564,11 +564,11 @@ ByeBye: if (Ccb) ExFreePool(Ccb); - if (NewDeviceObject) - IoDeleteDevice(NewDeviceObject); - if (Lookaside) ExDeleteNPagedLookasideList(&Vcb->FileRecLookasideList); + + if (NewDeviceObject) + IoDeleteDevice(NewDeviceObject); } DPRINT("NtfsMountVolume() done (Status: %lx)\n", Status);
