On 2016-09-06 18:59, gedmur...@svn.reactos.org wrote: > +NTSTATUS > +HandleLoadUnloadIoctl(_In_ PDEVICE_OBJECT DeviceObject, > + _Inout_ PIRP Irp) > +{ > + PIO_STACK_LOCATION StackPtr; > + UNICODE_STRING Name; > + PFILTER_NAME FilterName; > + ULONG BufferLength; > + ULONG ControlCode; > + > + /* Get the IOCTL data from the stack pointer */ > + StackPtr = IoGetCurrentIrpStackLocation(Irp); > + BufferLength = StackPtr->Parameters.DeviceIoControl.InputBufferLength; > + ControlCode = StackPtr->Parameters.DeviceIoControl.IoControlCode; > + > + FLT_ASSERT(ControlCode == IOCTL_LOAD_FILTER || ControlCode == > IOCTL_UNLOAD_FILTER); > + > + /* Make sure the buffer is valid */ > + if (BufferLength < sizeof(FILTER_NAME)) > + return STATUS_INVALID_PARAMETER; > + > + /* Convert the file name buffer into a string */ > + FilterName = (PFILTER_NAME)Irp->AssociatedIrp.SystemBuffer; > + Name.Length = FilterName->Length; > + Name.MaximumLength = FilterName->Length; > + Name.Buffer = (PWCH)((PCHAR)FilterName + FIELD_OFFSET(FILTER_NAME, > FilterName[0]));
You're missing a check for BufferLength < FIELD_OFFSET(FILTER_NAME, FilterName[FilterName->Length / sizeof(WCHAR)]) > + > + /* Forward the request to our Flt routines */ > + if (ControlCode == IOCTL_LOAD_FILTER) > + { > + return FltLoadFilter(&Name); > + } > + else > + { > + return FltUnloadFilter(&Name); > + } > +} _______________________________________________ Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev