[TRACERT] Fix undefined behavior by fixing ReplyBuffer size. (#2422)
authorErdem Ersoy <erdemersoy@erdemersoy.net>
Sun, 8 Mar 2020 18:36:07 +0000 (21:36 +0300)
committerGitHub <noreply@github.com>
Sun, 8 Mar 2020 18:36:07 +0000 (19:36 +0100)
CORE-16620

base/applications/network/tracert/tracert.cpp

index da026a6..1cabd0a 100644 (file)
@@ -377,31 +377,31 @@ RunTraceRoute()
     }
 
     BYTE SendBuffer[PACKET_SIZE];
-    ICMPV6_ECHO_REPLY ReplyBufferv6;
-#ifdef _WIN64
-    ICMP_ECHO_REPLY32 ReplyBufferv432;
-#else
-    ICMP_ECHO_REPLY ReplyBufferv4;
-#endif
+
     PVOID ReplyBuffer;
 
     DWORD ReplySize = PACKET_SIZE + SIZEOF_ICMP_ERROR + SIZEOF_IO_STATUS_BLOCK;
     if (Info.Family == AF_INET6)
     {
-        ReplyBuffer = &ReplyBufferv6;
         ReplySize += sizeof(ICMPV6_ECHO_REPLY);
     }
     else
     {
 #ifdef _WIN64
-        ReplyBuffer = &ReplyBufferv432;
         ReplySize += sizeof(ICMP_ECHO_REPLY32);
 #else
-        ReplyBuffer = &ReplyBufferv4;
         ReplySize += sizeof(ICMP_ECHO_REPLY);
 #endif
     }
 
+    HANDLE heap = GetProcessHeap();
+    ReplyBuffer = HeapAlloc(heap, HEAP_ZERO_MEMORY, ReplySize);
+    if (ReplyBuffer == NULL)
+    {
+        FreeAddrInfoW(Info.Target);
+        return false;
+    }
+
     if (Info.Family == AF_INET6)
     {
         Info.hIcmpFile = Icmp6CreateFile();
@@ -412,6 +412,7 @@ RunTraceRoute()
     }
     if (Info.hIcmpFile == INVALID_HANDLE_VALUE)
     {
+        HeapFree(heap, 0, ReplyBuffer);
         FreeAddrInfoW(Info.Target);
         return false;
     }
@@ -486,6 +487,7 @@ RunTraceRoute()
 
     OutputText(IDS_TRACE_COMPLETE);
 
+    HeapFree(heap, 0, ReplyBuffer);
     FreeAddrInfoW(Info.Target);
     if (Info.hIcmpFile)
     {