[ros-diffs] [dchapyshev] 41839: - Add user mode buffer probing for NtCreateKey, NtEnumerateKey, NtEnumerateValueKey, NtQueryKey, NtQueryValueKey
dchapyshev at svn.reactos.org
dchapyshev at svn.reactos.org
Fri Jul 10 12:02:38 CEST 2009
Author: dchapyshev
Date: Fri Jul 10 14:02:37 2009
New Revision: 41839
URL: http://svn.reactos.org/svn/reactos?rev=41839&view=rev
Log:
- Add user mode buffer probing for NtCreateKey, NtEnumerateKey, NtEnumerateValueKey, NtQueryKey, NtQueryValueKey
Modified:
trunk/reactos/ntoskrnl/config/ntapi.c
Modified: trunk/reactos/ntoskrnl/config/ntapi.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/config/ntapi.c?rev=41839&r1=41838&r2=41839&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/config/ntapi.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/config/ntapi.c [iso-8859-1] Fri Jul 10 14:02:37 2009
@@ -23,9 +23,9 @@
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
- IN PUNICODE_STRING Class,
+ IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
- OUT PULONG Disposition)
+ OUT PULONG Disposition OPTIONAL)
{
NTSTATUS Status = STATUS_SUCCESS;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
@@ -58,6 +58,8 @@
ProbeForRead(ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG));
+
+ if (Disposition) ProbeForWriteUlong(Disposition);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
@@ -228,6 +230,7 @@
IN ULONG Length,
OUT PULONG ResultLength)
{
+ KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status;
PCM_KEY_BODY KeyObject;
REG_ENUMERATE_KEY_INFORMATION EnumerateKeyInfo;
@@ -254,6 +257,29 @@
NULL);
if (!NT_SUCCESS(Status)) return Status;
+ if (PreviousMode != KernelMode)
+ {
+ _SEH2_TRY
+ {
+ ProbeForWriteUlong(ResultLength);
+ ProbeForWrite(KeyInformation,
+ Length,
+ sizeof(ULONG));
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ /* Dereference and return status */
+ ObDereferenceObject(KeyObject);
+ return Status;
+ }
+ }
+
/* Setup the callback */
PostOperationInfo.Object = (PVOID)KeyObject;
EnumerateKeyInfo.Object = (PVOID)KeyObject;
@@ -293,6 +319,7 @@
IN ULONG Length,
OUT PULONG ResultLength)
{
+ KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status;
PCM_KEY_BODY KeyObject;
REG_ENUMERATE_VALUE_KEY_INFORMATION EnumerateValueKeyInfo;
@@ -319,6 +346,29 @@
NULL);
if (!NT_SUCCESS(Status)) return Status;
+ if (PreviousMode != KernelMode)
+ {
+ _SEH2_TRY
+ {
+ ProbeForWriteUlong(ResultLength);
+ ProbeForWrite(KeyValueInformation,
+ Length,
+ sizeof(ULONG));
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ /* Dereference and return status */
+ ObDereferenceObject(KeyObject);
+ return Status;
+ }
+ }
+
/* Setup the callback */
PostOperationInfo.Object = (PVOID)KeyObject;
EnumerateValueKeyInfo.Object = (PVOID)KeyObject;
@@ -358,6 +408,7 @@
IN ULONG Length,
OUT PULONG ResultLength)
{
+ KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status;
PCM_KEY_BODY KeyObject;
REG_QUERY_KEY_INFORMATION QueryKeyInfo;
@@ -414,6 +465,29 @@
/* Quit on failure */
if (!NT_SUCCESS(Status)) return Status;
+ if (PreviousMode != KernelMode)
+ {
+ _SEH2_TRY
+ {
+ ProbeForWriteUlong(ResultLength);
+ ProbeForWrite(KeyInformation,
+ Length,
+ sizeof(ULONG));
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ /* Dereference and return status */
+ ObDereferenceObject(KeyObject);
+ return Status;
+ }
+ }
+
/* Setup the callback */
PostOperationInfo.Object = (PVOID)KeyObject;
QueryKeyInfo.Object = (PVOID)KeyObject;
@@ -452,6 +526,7 @@
IN ULONG Length,
OUT PULONG ResultLength)
{
+ KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status;
PCM_KEY_BODY KeyObject;
REG_QUERY_VALUE_KEY_INFORMATION QueryValueKeyInfo;
@@ -469,6 +544,29 @@
(PVOID*)&KeyObject,
NULL);
if (!NT_SUCCESS(Status)) return Status;
+
+ if (PreviousMode != KernelMode)
+ {
+ _SEH2_TRY
+ {
+ ProbeForWriteUlong(ResultLength);
+ ProbeForWrite(KeyValueInformation,
+ Length,
+ sizeof(ULONG));
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ /* Dereference and return status */
+ ObDereferenceObject(KeyObject);
+ return Status;
+ }
+ }
/* Make sure the name is aligned properly */
if ((ValueNameCopy.Length & (sizeof(WCHAR) - 1)))
More information about the Ros-diffs
mailing list