From f9f5a787154a3886f96fbae303474a054d103190 Mon Sep 17 00:00:00 2001 From: Victor Perevertkin Date: Wed, 16 Dec 2020 01:12:26 +0300 Subject: [PATCH] [MOUNTMGR] Fix bugs in MountMgrQueryDosVolumePath - Do not access uninitialized SymlinkInformation on failure case and just return - Do not make an assumption that MOUNTMGR_TARGET_NAME has a zero-string --- drivers/storage/mountmgr/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/storage/mountmgr/device.c b/drivers/storage/mountmgr/device.c index ecdb0b21526..ad70f80c23f 100644 --- a/drivers/storage/mountmgr/device.c +++ b/drivers/storage/mountmgr/device.c @@ -865,7 +865,8 @@ MountMgrQueryDosVolumePath(IN PDEVICE_EXTENSION DeviceExtension, } /* Validate the entry structure size */ - if (Target->DeviceNameLength + sizeof(UNICODE_NULL) > Stack->Parameters.DeviceIoControl.InputBufferLength) + if ((FIELD_OFFSET(MOUNTMGR_TARGET_NAME, DeviceNameLength) + Target->DeviceNameLength) > + Stack->Parameters.DeviceIoControl.InputBufferLength) { return STATUS_INVALID_PARAMETER; } @@ -878,7 +879,7 @@ MountMgrQueryDosVolumePath(IN PDEVICE_EXTENSION DeviceExtension, /* Construct string for query */ SymbolicName.Length = Target->DeviceNameLength; - SymbolicName.MaximumLength = Target->DeviceNameLength + sizeof(UNICODE_NULL); + SymbolicName.MaximumLength = Target->DeviceNameLength; SymbolicName.Buffer = Target->DeviceName; /* Find device with our info */ @@ -911,7 +912,7 @@ MountMgrQueryDosVolumePath(IN PDEVICE_EXTENSION DeviceExtension, /* We didn't find, break */ if (SymlinksEntry == &(DeviceInformation->SymbolicLinksListHead)) { - break; + return STATUS_NOT_FOUND; } /* It doesn't have associated device, go to fallback method */