On 2016-09-06 18:59, [email protected] wrote:
> +NTSTATUS
> +HandleLoadUnloadIoctl(_In_ PDEVICE_OBJECT DeviceObject,
> + _Inout_ PIRP Irp)
> +{
> + PIO_STACK_LOCATION StackPtr;
> + UNICODE_STRING Name;
> + PFILTER_NAME FilterName;
> + ULONG BufferLength;
> + ULONG ControlCode;
> +
> + /* Get the IOCTL data from the stack pointer */
> + StackPtr = IoGetCurrentIrpStackLocation(Irp);
> + BufferLength = StackPtr->Parameters.DeviceIoControl.InputBufferLength;
> + ControlCode = StackPtr->Parameters.DeviceIoControl.IoControlCode;
> +
> + FLT_ASSERT(ControlCode == IOCTL_LOAD_FILTER || ControlCode ==
> IOCTL_UNLOAD_FILTER);
> +
> + /* Make sure the buffer is valid */
> + if (BufferLength < sizeof(FILTER_NAME))
> + return STATUS_INVALID_PARAMETER;
> +
> + /* Convert the file name buffer into a string */
> + FilterName = (PFILTER_NAME)Irp->AssociatedIrp.SystemBuffer;
> + Name.Length = FilterName->Length;
> + Name.MaximumLength = FilterName->Length;
> + Name.Buffer = (PWCH)((PCHAR)FilterName + FIELD_OFFSET(FILTER_NAME,
> FilterName[0]));
You're missing a check for
BufferLength < FIELD_OFFSET(FILTER_NAME, FilterName[FilterName->Length /
sizeof(WCHAR)])
> +
> + /* Forward the request to our Flt routines */
> + if (ControlCode == IOCTL_LOAD_FILTER)
> + {
> + return FltLoadFilter(&Name);
> + }
> + else
> + {
> + return FltUnloadFilter(&Name);
> + }
> +}
_______________________________________________
Ros-dev mailing list
[email protected]
http://www.reactos.org/mailman/listinfo/ros-dev
