From 32a82eb123e75544cf6cd9341589928bed5be89c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?= Date: Thu, 10 Jun 2021 23:11:27 +0200 Subject: [PATCH] [NTOS:IO] Fix driverName.Buffer leak in some failure paths in IopGetDriverNames(). driverName.Buffer leaked when the "(!NT_SUCCESS(status) || ServiceName != NULL)" case is taken because ServiceName != NULL, and some of the functions fail. --- ntoskrnl/io/iomgr/driver.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c index f48a85a9705..6a42dd30f7a 100644 --- a/ntoskrnl/io/iomgr/driver.c +++ b/ntoskrnl/io/iomgr/driver.c @@ -171,21 +171,22 @@ IopGetDriverNames( status = ZwQueryKey(ServiceHandle, KeyBasicInformation, NULL, 0, &infoLength); if (status != STATUS_BUFFER_TOO_SMALL) { - return NT_SUCCESS(status) ? STATUS_UNSUCCESSFUL : status; + status = (NT_SUCCESS(status) ? STATUS_UNSUCCESSFUL : status); + goto Cleanup; } /* Allocate the buffer and retrieve the data */ basicInfo = ExAllocatePoolWithTag(PagedPool, infoLength, TAG_IO); if (!basicInfo) { - return STATUS_INSUFFICIENT_RESOURCES; + status = STATUS_INSUFFICIENT_RESOURCES; + goto Cleanup; } status = ZwQueryKey(ServiceHandle, KeyBasicInformation, basicInfo, infoLength, &infoLength); if (!NT_SUCCESS(status)) { - ExFreePoolWithTag(basicInfo, TAG_IO); - return status; + goto Cleanup; } serviceName.Length = basicInfo->NameLength; @@ -248,7 +249,6 @@ IopGetDriverNames( PWCHAR buf = ExAllocatePoolWithTag(PagedPool, serviceName.Length, TAG_IO); if (!buf) { - ExFreePoolWithTag(driverName.Buffer, TAG_IO); status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } @@ -265,6 +265,9 @@ Cleanup: if (basicInfo) ExFreePoolWithTag(basicInfo, TAG_IO); + if (!NT_SUCCESS(status) && driverName.Buffer) + ExFreePoolWithTag(driverName.Buffer, TAG_IO); + return status; }