[ros-dev] Usage of RtlAllocateHeap
mbealby at gmail.com
Sun Dec 11 15:20:35 CET 2005
First of all I would like to introduce myself. My name is Martin and I am
currently attempting to go through and audit the ReactOS source code for
security vulnerabilities. I've been keeping an eye on the project for
about a year now and I think as development is now rapidly increasing,
security must take more and more of a priority.
I started with the kernel32 library on Friday (9th) and have found a
number of possible security vulnerabilies. These have been filed with
bugzilla and i'm very impressed with the rate that these were fixed. So
well done on that count!
However, after submitting bugs #1102 and #1103 (now fixed by
BrandonTurner) it became apparent that incorrect usage of the
RtlAllocateHeap function (and its alias HeapAlloc) is quite common. It
may return NULL if memory cannot be allocated and in some parts of the
code this is not checked. This would lead to a segmentation fault on
reading / writing.
Through some judicious use of grep I went through the source code and
extracted calls to this function with their context. After going through
each one and investigating it I have now found another twenty occurances
of the same bug (This is just in the kernel32 library).
I am writing this to let all developers know that they must check their
return values. Errors can exist, resources may be starved and the call
may fail. Make sure your code can cope with this.
Finally, as I am fairly new to bugzilla, should I submit each of these
twenty bugs individually or should I submit them all as one bug?
More information about the Ros-dev