[ros-bugs] ARC: IopXXX() off-by-one bug in ntoskrnl/io/iomgr/arcname.c

王智通 zhitong.wangzt at alibaba-inc.com
Mon May 24 11:21:44 CEST 2010


off-by-one errors on ntoskrnl/io/iomgr/arcname.c, IopAssignArcNamesToCdrom() doesn’t check the

KeLoaderBlock->ArcBootDeviceName length, using sprintf cloud cause kernel stack buffer overflow

Or an off-by-one error.



BOOLEAN

INIT_FUNCTION

NTAPI

IopAssignArcNamesToCdrom(IN PULONG Buffer, IN ULONG DiskNumber)

{

    CHAR ArcBuffer[128];

…

    if (IopApplyRosCdromArcHack(DiskNumber))

    {

        /* Not check the KeLoaderBlock->ArcBootDeviceName length, sprintf could cause

          Kernel stack buffer overflow with ArcBuffer. Even if KeLoaderBlock->ArcBootDeviceName length eval 128,

it will miss ‘\0’ */

        sprintf(ArcBuffer, "\\ArcName\\%s<file:///\\ArcName\%25s>", KeLoaderBlock->ArcBootDeviceName);

…

}

So IopAssignArcNamesToCdrom() should check the KeLoaderBlock->ArcBootDeviceName length or replace

Sprintf to snprintf. The same errors also in IopCreateArcNames(),IopReassignSystemRoot().



Thanks.


________________________________
This email (including any attachments) is confidential and may be legally privileged. If you received this email in error, please delete it immediately and do not copy it or use it for any purpose or disclose its contents to any other person. Thank you.

本电邮(包括任何附件)可能含有机密资料并受法律保护。如您不是正确的收件人,请您立即删除本邮件。请不要将本电邮进行复制并用作任何其他用途、或透露本邮件之内容。谢谢。
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.reactos.org/pipermail/ros-bugs/attachments/20100524/a9cd2fea/attachment.htm>


More information about the Ros-bugs mailing list