[ros-dev] Re: [ros-diffs] [hpoussin] 18442: Don't always return
STATUS_BUFFER_TOO_SMALL when an error occurs in ZwQueryValueKey.
Alex Ionescu
ionucu at videotron.ca
Fri Oct 14 17:12:46 CEST 2005
hpoussin at svn.reactos.com wrote:
>Don't always return STATUS_BUFFER_TOO_SMALL when an error occurs in ZwQueryValueKey.
>The "if" was triggered because ValueInformation->DataLength is 0xcdcdcdcd at the return of the function
>
But that means that the memory was freed during the failure, so now the
ExFreePool will run into a double-free!
>Modified: trunk/reactos/ntoskrnl/io/pnpmgr.c
>
>
> ------------------------------------------------------------------------
> *Modified: trunk/reactos/ntoskrnl/io/pnpmgr.c*
>
>--- trunk/reactos/ntoskrnl/io/pnpmgr.c 2005-10-14 13:00:18 UTC (rev 18441)
>+++ trunk/reactos/ntoskrnl/io/pnpmgr.c 2005-10-14 13:04:11 UTC (rev 18442)
>@@ -322,15 +322,18 @@
>
> *ResultLength = ValueInformation->DataLength;
> ZwClose(KeyHandle);
>
>
>
>- if (ValueInformation->DataLength > BufferLength)
>- Status = STATUS_BUFFER_TOO_SMALL;
>-
>
>
> if (!NT_SUCCESS(Status))
> {
> ExFreePool(ValueInformation);
> return Status;
> }
>
>
>
>+ if (ValueInformation->DataLength > BufferLength)
>+ {
>+ ExFreePool(ValueInformation);
>+ return STATUS_BUFFER_TOO_SMALL;
>+ }
>+
>
>
> /* FIXME: Verify the value (NULL-terminated, correct format). */
>
> RtlCopyMemory(PropertyBuffer, ValueInformation->Data,
>
>
Please check this out in more detail...
Best regards,
Alex Ionescu
More information about the Ros-dev
mailing list