From 64701d0798b2a1153492dec6aa2f6dd2ef2ec1c6 Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Sat, 26 Jul 2025 18:43:32 +0300
Subject: [PATCH] [NTOS:EX] Fix query of SystemFirmwareTableInformation

---
 ntoskrnl/ex/sysinfo.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/ntoskrnl/ex/sysinfo.c b/ntoskrnl/ex/sysinfo.c
index b05328d0600..61557f72a16 100644
--- a/ntoskrnl/ex/sysinfo.c
+++ b/ntoskrnl/ex/sysinfo.c
@@ -2727,7 +2727,7 @@ QSI_DEF(SystemFirmwareTableInformation)
 {
     PSYSTEM_FIRMWARE_TABLE_INFORMATION SysFirmwareInfo = (PSYSTEM_FIRMWARE_TABLE_INFORMATION)Buffer;
     NTSTATUS Status = STATUS_SUCCESS;
-    ULONG InputBufSize;
+    ULONG DataBufSize;
     ULONG DataSize = 0;
     ULONG TableCount = 0;
 
@@ -2742,7 +2742,7 @@ QSI_DEF(SystemFirmwareTableInformation)
         return STATUS_INFO_LENGTH_MISMATCH;
     }
 
-    InputBufSize = SysFirmwareInfo->TableBufferLength;
+    DataBufSize = Size - *ReqSize;
     switch (SysFirmwareInfo->ProviderSignature)
     {
         /*
@@ -2772,17 +2772,18 @@ QSI_DEF(SystemFirmwareTableInformation)
                 if (SysFirmwareInfo->Action == SystemFirmwareTable_Enumerate)
                 {
                     DataSize = TableCount * sizeof(ULONG);
-                    if (DataSize <= InputBufSize)
+                    if (DataSize <= DataBufSize)
                     {
                         *(ULONG *)SysFirmwareInfo->TableBuffer = 0;
                     }
                 }
                 else if (SysFirmwareInfo->Action == SystemFirmwareTable_Get
-                         && DataSize <= InputBufSize)
+                         && DataSize <= DataBufSize)
                 {
-                    Status = ExpGetRawSMBiosTable(SysFirmwareInfo->TableBuffer, &DataSize, InputBufSize);
+                    Status = ExpGetRawSMBiosTable(SysFirmwareInfo->TableBuffer, &DataSize, DataBufSize);
                 }
                 SysFirmwareInfo->TableBufferLength = DataSize;
+                *ReqSize += DataSize;
             }
             break;
         }
@@ -2790,7 +2791,8 @@ QSI_DEF(SystemFirmwareTableInformation)
         {
             DPRINT1("SystemFirmwareTableInformation: Unsupported provider (0x%x)\n",
                     SysFirmwareInfo->ProviderSignature);
-            Status = STATUS_ILLEGAL_FUNCTION;
+            *ReqSize = 0;
+            Status = STATUS_NOT_IMPLEMENTED;
         }
     }
 
@@ -2801,7 +2803,7 @@ QSI_DEF(SystemFirmwareTableInformation)
             case SystemFirmwareTable_Enumerate:
             case SystemFirmwareTable_Get:
             {
-                if (SysFirmwareInfo->TableBufferLength > InputBufSize)
+                if (SysFirmwareInfo->TableBufferLength > DataBufSize)
                 {
                     Status = STATUS_BUFFER_TOO_SMALL;
                 }