huwcampbell.com
Reactos
[NTOS] Fix MSVC warnings
Be strict about string length to prevent overflows.
+46
-19
+3
-3
ntoskrnl/io/iomgr/deviface.c
+3
-3
ntoskrnl/io/iomgr/deviface.c
···
824
824
DeviceString.MaximumLength = DeviceString.Length;
825
825
DeviceString.Buffer = Buffer;
826
826
827
-
/*
827
+
/*
828
828
* Separate symbolic link into 4 parts:
829
829
* 1) prefix string (\??\ for kernel mode or \\?\ for user mode),
830
830
* 2) munged path string (like ##?#ACPI#PNP0501#1#{GUID}),
831
831
* 3) GUID string (the current GUID),
832
832
* 4) reference string (goes after GUID, starts with '\').
833
-
*
833
+
*
834
834
* We need only reference string.
835
835
*/
836
836
Status = IopSeparateSymbolicLink(SymbolicLinkName,
···
1905
1905
}
1906
1906
1907
1907
ASSERT(GuidString.Buffer >= LinkNameNoPrefix.Buffer + 1);
1908
-
DeviceInstance.Length = (GuidString.Buffer - LinkNameNoPrefix.Buffer - 1) * sizeof(WCHAR);
1908
+
DeviceInstance.Length = (USHORT)((GuidString.Buffer - LinkNameNoPrefix.Buffer - 1) * sizeof(WCHAR));
1909
1909
if (DeviceInstance.Length == 0)
1910
1910
{
1911
1911
DPRINT1("No device instance in link name '%wZ'\n", SymbolicLinkName);
+25
-7
ntoskrnl/io/iomgr/driver.c
+25
-7
ntoskrnl/io/iomgr/driver.c
···
5
5
* PURPOSE: Driver Object Management
6
6
* PROGRAMMERS: Alex Ionescu (alex.ionescu@reactos.org)
7
7
* Filip Navara (navaraf@reactos.org)
8
-
* Herv� Poussineau (hpoussin@reactos.org)
8
+
* Hervé Poussineau (hpoussin@reactos.org)
9
9
*/
10
10
11
11
/* INCLUDES *******************************************************************/
···
136
136
if (NT_SUCCESS(status))
137
137
{
138
138
/* We've got the ObjectName, use it as the driver name */
139
-
if (kvInfo->Type != REG_SZ || kvInfo->DataLength == 0)
139
+
if ((kvInfo->Type != REG_SZ) ||
140
+
(kvInfo->DataLength < sizeof(UNICODE_NULL)) ||
141
+
(kvInfo->DataLength > UNICODE_STRING_MAX_BYTES) ||
142
+
((kvInfo->DataLength % sizeof(WCHAR)) != 0))
140
143
{
144
+
DPRINT1("ObjectName invalid (Type = %lu, DataLength = %lu)\n",
145
+
kvInfo->Type,
146
+
kvInfo->DataLength);
141
147
ExFreePool(kvInfo);
142
148
return STATUS_ILL_FORMED_SERVICE_ENTRY;
143
149
}
144
150
145
-
driverName.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
151
+
driverName.Length = (USHORT)(kvInfo->DataLength - sizeof(UNICODE_NULL));
146
152
driverName.MaximumLength = kvInfo->DataLength;
147
153
driverName.Buffer = ExAllocatePoolWithTag(NonPagedPool, driverName.MaximumLength, TAG_IO);
148
154
if (!driverName.Buffer)
···
963
969
{
964
970
continue;
965
971
}
966
-
if (kvInfo->Type != REG_SZ || kvInfo->DataLength == 0)
972
+
if ((kvInfo->Type != REG_SZ) ||
973
+
(kvInfo->DataLength < sizeof(UNICODE_NULL)) ||
974
+
(kvInfo->DataLength > UNICODE_STRING_MAX_BYTES) ||
975
+
((kvInfo->DataLength % sizeof(WCHAR)) != 0))
967
976
{
977
+
DPRINT1("ObjectName invalid (Type = %lu, DataLength = %lu)\n",
978
+
kvInfo->Type,
979
+
kvInfo->DataLength);
968
980
ExFreePool(kvInfo);
969
981
continue;
970
982
}
971
983
972
-
instancePath.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
984
+
instancePath.Length = (USHORT)(kvInfo->DataLength - sizeof(UNICODE_NULL));
973
985
instancePath.MaximumLength = kvInfo->DataLength;
974
986
instancePath.Buffer = ExAllocatePoolWithTag(NonPagedPool,
975
987
instancePath.MaximumLength,
···
1948
1960
Status = IopGetRegistryValue(ServiceHandle, L"ImagePath", &kvInfo);
1949
1961
if (NT_SUCCESS(Status))
1950
1962
{
1951
-
if ((kvInfo->Type != REG_EXPAND_SZ && kvInfo->Type != REG_SZ) || kvInfo->DataLength == 0)
1963
+
if ((kvInfo->Type != REG_EXPAND_SZ && kvInfo->Type != REG_SZ) ||
1964
+
(kvInfo->DataLength < sizeof(UNICODE_NULL)) ||
1965
+
(kvInfo->DataLength > UNICODE_STRING_MAX_BYTES) ||
1966
+
((kvInfo->DataLength % sizeof(WCHAR)) != 0))
1952
1967
{
1968
+
DPRINT1("ObjectName invalid (Type = %lu, DataLength = %lu)\n",
1969
+
kvInfo->Type,
1970
+
kvInfo->DataLength);
1953
1971
ExFreePool(kvInfo);
1954
1972
return STATUS_ILL_FORMED_SERVICE_ENTRY;
1955
1973
}
1956
1974
1957
-
ImagePath.Length = kvInfo->DataLength - sizeof(UNICODE_NULL);
1975
+
ImagePath.Length = (USHORT)(kvInfo->DataLength - sizeof(UNICODE_NULL));
1958
1976
ImagePath.MaximumLength = kvInfo->DataLength;
1959
1977
ImagePath.Buffer = ExAllocatePoolWithTag(PagedPool, ImagePath.MaximumLength, TAG_RTLREGISTRY);
1960
1978
if (!ImagePath.Buffer)
+17
-8
ntoskrnl/io/pnpmgr/devaction.c
+17
-8
ntoskrnl/io/pnpmgr/devaction.c
···
628
628
Status = IopGetRegistryValue(SubKey, REGSTR_VAL_CLASSGUID, &kvInfo);
629
629
if (NT_SUCCESS(Status))
630
630
{
631
-
if (kvInfo->Type == REG_SZ && kvInfo->DataLength > sizeof(WCHAR))
631
+
if ((kvInfo->Type == REG_SZ) &&
632
+
(kvInfo->DataLength > sizeof(UNICODE_NULL)) &&
633
+
(kvInfo->DataLength <= UNICODE_STRING_MAX_BYTES) &&
634
+
((kvInfo->DataLength % sizeof(WCHAR)) == 0))
632
635
{
633
636
UNICODE_STRING classGUID = {
634
637
.MaximumLength = kvInfo->DataLength,
635
-
.Length = kvInfo->DataLength - sizeof(UNICODE_NULL),
638
+
.Length = (USHORT)(kvInfo->DataLength - sizeof(UNICODE_NULL)),
636
639
.Buffer = (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset)
637
640
};
638
641
HANDLE ccsControlHandle;
···
1363
1366
return Status;
1364
1367
}
1365
1368
1366
-
if (kvInfo2->Type != REG_SZ || kvInfo2->DataLength <= sizeof(WCHAR))
1369
+
if ((kvInfo2->Type != REG_SZ) ||
1370
+
(kvInfo2->DataLength <= sizeof(UNICODE_NULL)) ||
1371
+
(kvInfo2->DataLength > UNICODE_STRING_MAX_BYTES) ||
1372
+
((kvInfo2->DataLength % sizeof(WCHAR)) != 0))
1367
1373
{
1374
+
DPRINT1("ObjectName invalid (Type = %lu, DataLength = %lu)\n",
1375
+
kvInfo2->Type,
1376
+
kvInfo2->DataLength);
1368
1377
ExFreePool(kvInfo2);
1369
1378
return STATUS_UNSUCCESSFUL;
1370
1379
}
1371
1380
1372
1381
ServiceName.MaximumLength = kvInfo2->DataLength;
1373
-
ServiceName.Length = kvInfo2->DataLength - sizeof(UNICODE_NULL);
1382
+
ServiceName.Length = (USHORT)(kvInfo2->DataLength - sizeof(UNICODE_NULL));
1374
1383
ServiceName.Buffer = (PVOID)((ULONG_PTR)kvInfo2 + kvInfo2->DataOffset);
1375
1384
1376
1385
DPRINT("IopSetServiceEnumData(%p)\n", DeviceNode);
···
1508
1517
* Sends IRP_MN_QUERY_PNP_DEVICE_STATE request and sets device node's flags
1509
1518
* according to the result.
1510
1519
* Tree reenumeration should be started upon a successful return of the function.
1511
-
*
1520
+
*
1512
1521
* @todo Do not return STATUS_SUCCESS if nothing is changed.
1513
1522
*/
1514
1523
static
···
1538
1547
if (PnPFlags & PNP_DEVICE_REMOVED || PnPFlags & PNP_DEVICE_DISABLED)
1539
1548
{
1540
1549
PiSetDevNodeProblem(DeviceNode,
1541
-
PnPFlags & PNP_DEVICE_DISABLED
1550
+
PnPFlags & PNP_DEVICE_DISABLED
1542
1551
? CM_PROB_HARDWARE_DISABLED
1543
1552
: CM_PROB_DEVICE_NOT_THERE);
1544
1553
···
2413
2422
PiIrpQueryStopDevice(currentNode);
2414
2423
PiSetDevNodeState(currentNode, DeviceNodeQueryStopped);
2415
2424
}
2416
-
2425
+
2417
2426
doProcessAgain = TRUE;
2418
2427
}
2419
2428
break;
···
2617
2626
}
2618
2627
}
2619
2628
// TODO: Windows may return STATUS_DELETE_PENDING here
2620
-
status = STATUS_SUCCESS;
2629
+
status = STATUS_SUCCESS;
2621
2630
break;
2622
2631
2623
2632
default:
+1
-1
ntoskrnl/ob/oblink.c
+1
-1
ntoskrnl/ob/oblink.c
···
442
442
POBJECT_SYMBOLIC_LINK SymlinkObject = (POBJECT_SYMBOLIC_LINK)ParsedObject;
443
443
PUNICODE_STRING TargetPath;
444
444
PWSTR NewTargetPath;
445
-
ULONG LengthUsed, MaximumLength, TempLength;
445
+
SIZE_T LengthUsed, MaximumLength, TempLength;
446
446
NTSTATUS Status;
447
447
PAGED_CODE();
448
448