lywsvip/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2026-05-18 07:39:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

[NTOS:EX] Fix BufferSize validation in NtCreateProfile.

Browse Source 
See https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/profile/bugdemo.htm
This commit is contained in:
Thomas Faber
2021-12-11 15:41:30 -05:00
committed by Mark Jansen
parent 11d11f93ee
commit 1b2eeb23e0
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ntoskrnl/ex/profile.c
View File

@@ -104,6 +104,7 @@ NtCreateProfile(OUT PHANDLE ProfileHandle,
NTSTATUS Status;
ULONG Log2 = 0;
ULONG_PTR Segment = 0;
ULONG BucketsRequired;
PAGED_CODE();
/* Easy way out */
@@ -136,7 +137,12 @@ NtCreateProfile(OUT PHANDLE ProfileHandle,
}
/* Make sure that the buckets can map the range */
if ((RangeSize >> (BucketSize - 2)) > BufferSize)
BucketsRequired = RangeSize >> BucketSize;
if (RangeSize & ((1 << BucketSize) - 1))
{
BucketsRequired++;
}
if (BucketsRequired > BufferSize / sizeof(ULONG))
{
DPRINT1("Bucket size too small\n");
return STATUS_BUFFER_TOO_SMALL;