[ros-bugs] ARC: IopXXX() off-by-one bug in ntoskrnl/io/iomgr/arcname.c

王智通 zhitong.wangzt at alibaba-inc.com
Mon May 24 11:21:44 CEST 2010

off-by-one errors on ntoskrnl/io/iomgr/arcname.c, IopAssignArcNamesToCdrom() doesn’t check the

KeLoaderBlock->ArcBootDeviceName length, using sprintf cloud cause kernel stack buffer overflow

Or an off-by-one error.




IopAssignArcNamesToCdrom(IN PULONG Buffer, IN ULONG DiskNumber)


    CHAR ArcBuffer[128];


    if (IopApplyRosCdromArcHack(DiskNumber))


        /* Not check the KeLoaderBlock->ArcBootDeviceName length, sprintf could cause

          Kernel stack buffer overflow with ArcBuffer. Even if KeLoaderBlock->ArcBootDeviceName length eval 128,

it will miss ‘\0’ */

        sprintf(ArcBuffer, "\\ArcName\\%s<file:///\\ArcName\%25s>", KeLoaderBlock->ArcBootDeviceName);



So IopAssignArcNamesToCdrom() should check the KeLoaderBlock->ArcBootDeviceName length or replace

Sprintf to snprintf. The same errors also in IopCreateArcNames(),IopReassignSystemRoot().


This email (including any attachments) is confidential and may be legally privileged. If you received this email in error, please delete it immediately and do not copy it or use it for any purpose or disclose its contents to any other person. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.reactos.org/pipermail/ros-bugs/attachments/20100524/a9cd2fea/attachment.htm>

More information about the Ros-bugs mailing list