Skip to content

Commit 482eb90

Browse files
committed
[NTOS:CONFIG] Fix NtSetValueKey data probing
Probe the data before allocating a copy buffer. Otherwise NtSetValueKey returns an unexpected status code in case of too large data size. This fixes the NtSetValueKey ntdll api tests.
1 parent dee7718 commit 482eb90

File tree

1 file changed

+22
-2
lines changed

1 file changed

+22
-2
lines changed

ntoskrnl/config/ntapi.c

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -890,16 +890,35 @@ NtSetValueKey(IN HANDLE KeyHandle,
890890
/* Probe and copy the data */
891891
if ((PreviousMode != KernelMode) && (DataSize != 0))
892892
{
893-
PVOID DataCopy = ExAllocatePoolWithTag(PagedPool, DataSize, TAG_CM);
893+
PVOID DataCopy = NULL;
894+
895+
_SEH2_TRY
896+
{
897+
ProbeForRead(Data, DataSize, 1);
898+
}
899+
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
900+
{
901+
Status = _SEH2_GetExceptionCode();
902+
}
903+
_SEH2_END;
904+
905+
if (!NT_SUCCESS(Status))
906+
{
907+
/* Dereference and return status */
908+
ObDereferenceObject(KeyObject);
909+
return Status;
910+
}
911+
912+
DataCopy = ExAllocatePoolWithTag(PagedPool, DataSize, TAG_CM);
894913
if (!DataCopy)
895914
{
896915
/* Dereference and return status */
897916
ObDereferenceObject(KeyObject);
898917
return STATUS_INSUFFICIENT_RESOURCES;
899918
}
919+
900920
_SEH2_TRY
901921
{
902-
ProbeForRead(Data, DataSize, 1);
903922
RtlCopyMemory(DataCopy, Data, DataSize);
904923
}
905924
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
@@ -915,6 +934,7 @@ NtSetValueKey(IN HANDLE KeyHandle,
915934
ObDereferenceObject(KeyObject);
916935
return Status;
917936
}
937+
918938
Data = DataCopy;
919939
}
920940

0 commit comments

Comments
 (0)