Author: pschweitzer
Date: Sun Jun 21 05:40:15 2015
New Revision: 68221
URL: http://svn.reactos.org/svn/reactos?rev=68221&view=rev
Log:
[NTOSKRNL]
Don't trust the user!
Probe buffers in NtSetSystemInformation - SystemSessionCreate and in
NtSetSystemInformation - SystemSessionDetach
Modified:
trunk/reactos/ntoskrnl/ex/sysinfo.c
Modified: trunk/reactos/ntoskrnl/ex/sysinfo.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ex/sysinfo.c?rev=68221&r1=68220&r2=68221&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/ex/sysinfo.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/ex/sysinfo.c [iso-8859-1] Sun Jun 21 05:40:15 2015
@@ -2068,10 +2068,31 @@
{
return STATUS_PRIVILEGE_NOT_HELD;
}
+
+ _SEH2_TRY
+ {
+ ProbeForWriteUlong(Buffer);
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
}
Status = MmSessionCreate(&SessionId);
- if (NT_SUCCESS(Status)) *(PULONG)Buffer = SessionId;
+ if (NT_SUCCESS(Status))
+ {
+ _SEH2_TRY
+ {
+ *(PULONG)Buffer = SessionId;
+ }
+ _SEH2_EXCEPT(ExSystemExceptionFilter())
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+ }
return Status;
}
@@ -2091,9 +2112,21 @@
{
return STATUS_PRIVILEGE_NOT_HELD;
}
- }
-
- SessionId = *(PULONG)Buffer;
+
+ _SEH2_TRY
+ {
+ SessionId = ProbeForReadUlong(Buffer);
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
+ }
+ else
+ {
+ SessionId = *(PULONG)Buffer;
+ }
return MmSessionDelete(SessionId);
}
