- Fix null pointer dereferences
authorCameron Gutman <aicommander@gmail.com>
Tue, 18 Aug 2009 20:30:58 +0000 (20:30 +0000)
committerCameron Gutman <aicommander@gmail.com>
Tue, 18 Aug 2009 20:30:58 +0000 (20:30 +0000)
 - Fix out of bounds array access
 - Check that we got a valid pointer from HeapAlloc
 - Don't close the caller's handle when we fail
 - Fix a memory leak
 - Found by Amine Khaldi

svn path=/trunk/; revision=42774

reactos/dll/win32/iphlpapi/ifenum_reactos.c
reactos/dll/win32/iphlpapi/iphlpapi_main.c
reactos/dll/win32/iphlpapi/ipstats_reactos.c
reactos/dll/win32/iphlpapi/registry.c
reactos/dll/win32/iphlpapi/resinfo_reactos.c

index a37d5e0..90b4321 100644 (file)
@@ -582,6 +582,8 @@ const char *getInterfaceNameByIndex(DWORD index)
 
             interfaceName = HeapAlloc( GetProcessHeap(), 0,
                                        strlen(adapter_name) + 1 );
+            if (!interfaceName) return NULL;
+
             strcpy( interfaceName, adapter_name );
         }
 
@@ -847,15 +849,14 @@ DWORD getInterfaceEntryByIndex(DWORD index, PMIB_IFROW entry)
 
 char *toIPAddressString(unsigned int addr, char string[16])
 {
-  if (string) {
     struct in_addr iAddr;
 
     iAddr.s_addr = addr;
-    /* extra-anal, just to make auditors happy */
-    strncpy(string, inet_ntoa(iAddr), 16);
-    string[16] = '\0';
-  }
-  return string;
+
+    if (string)
+        strncpy(string, inet_ntoa(iAddr), 16);
+  
+    return inet_ntoa(iAddr);
 }
 
 NTSTATUS addIPAddress( IPAddr Address, IPMask Mask, DWORD IfIndex,
index ac011ba..8ef198e 100644 (file)
@@ -102,6 +102,7 @@ DWORD getInterfaceGatewayByIndex(DWORD index)
 {
    DWORD ndx, retVal = 0, numRoutes = getNumRoutes();
    RouteTable *table = getRouteTable();
+   if (!table) return 0;
 
     for (ndx = 0; ndx < numRoutes; ndx++)
     {
@@ -645,9 +646,12 @@ DWORD WINAPI GetAdaptersInfo(PIP_ADAPTER_INFO pAdapterInfo, PULONG pOutBufLen)
               DWORD addrLen = sizeof(ptr->Address), type;
               const char *ifname =
                   getInterfaceNameByIndex(table->indexes[ndx]);
+              if (!ifname) {
+                  ret = ERROR_OUTOFMEMORY;
+                  break;
+              }
 
               /* on Win98 this is left empty, but whatever */
-
               strncpy(ptr->AdapterName,ifname,sizeof(ptr->AdapterName));
               consumeInterfaceName(ifname);
               ptr->AdapterName[MAX_ADAPTER_NAME_LENGTH] = '\0';
@@ -983,9 +987,9 @@ DWORD WINAPI GetInterfaceInfo(PIP_INTERFACE_INFO pIfTable, PULONG dwOutBufLen)
     }
     else {
       InterfaceIndexTable *table = getNonLoopbackInterfaceIndexTable();
-      TRACE("table->numIndexes == 0x%x\n", table->numIndexes);
 
       if (table) {
+        TRACE("table->numIndexes == 0x%x\n", table->numIndexes);
         size = sizeof(IP_INTERFACE_INFO) + (table->numIndexes) *
          sizeof(IP_ADAPTER_INDEX_MAP);
         if (*dwOutBufLen < size) {
index d0a6178..4dede14 100644 (file)
@@ -459,6 +459,10 @@ RouteTable *getRouteTable(void)
     out_route_table = HeapAlloc( GetProcessHeap(), 0,
                                  sizeof(RouteTable) +
                                  (sizeof(RouteEntry) * (numRoutes - 1)) );
+    if (!out_route_table) {
+        closeTcpFile(tcpFile);
+        return NULL;
+    }
 
     out_route_table->numRoutes = numRoutes;
 
@@ -586,6 +590,10 @@ PMIB_IPNETTABLE getArpTable(void)
     IpArpTable = HeapAlloc
        ( GetProcessHeap(), 0,
          sizeof(DWORD) + (sizeof(MIB_IPNETROW) * totalNumber) );
+    if (!IpArpTable) {
+        closeTcpFile(tcpFile);
+        return NULL;
+    }
 
     status = tdiGetEntityIDSet( tcpFile, &entitySet, &numEntities );
 
index 2421b1c..64b0f1f 100644 (file)
@@ -44,18 +44,19 @@ PWCHAR GetNthChildKeyName( HANDLE RegHandle, DWORD n ) {
   PWCHAR Value;
   DWORD ValueLen;
 
-  if (MaxAdapterName == -1) {
-    RegCloseKey( RegHandle );
+  if (MaxAdapterName == -1)
     return 0;
-  }
 
   ValueLen = MaxAdapterName;
   Value = (PWCHAR)HeapAlloc( GetProcessHeap(), 0, MaxAdapterName * sizeof(WCHAR) );
+  if (!Value) return 0;
+
   Status = RegEnumKeyExW( RegHandle, n, Value, &ValueLen,
                          NULL, NULL, NULL, NULL );
-  if (Status != ERROR_SUCCESS)
+  if (Status != ERROR_SUCCESS) {
+    HeapFree(GetProcessHeap(), 0, Value);
     return 0;
-  else {
+  else {
     Value[ValueLen] = 0;
     return Value;
   }
index 3a540dc..03993a7 100644 (file)
@@ -151,11 +151,13 @@ void EnumNameServers( HANDLE RegHandle, PWCHAR Interface,
        }
        if (ch - LastNameStart > 0) { /* A last name? */
            PWCHAR NameServer = malloc(((ch - LastNameStart) + 1) * sizeof(WCHAR));
-           memcpy(NameServer,NameServerString + LastNameStart,
-                  (ch - LastNameStart) * sizeof(WCHAR));
-           NameServer[ch - LastNameStart] = 0;
-           cb( Interface, NameServer, Data );
-           free(NameServer);
+            if (NameServer) {
+               memcpy(NameServer,NameServerString + LastNameStart,
+                      (ch - LastNameStart) * sizeof(WCHAR));
+               NameServer[ch - LastNameStart] = 0;
+               cb( Interface, NameServer, Data );
+               free(NameServer);
+            }
        }
        ConsumeRegValueString(NameServerString);
     }
@@ -223,6 +225,8 @@ PIPHLP_RES_INFO getResInfo() {
 
     PrivateNSEnum.NumServers = ServerCount;
     DnsList = HeapAlloc(GetProcessHeap(), 0, ServerCount * sizeof(IP_ADDR_STRING));
+    if (!DnsList) return NULL;
+
     ZeroMemory(DnsList, ServerCount * sizeof(IP_ADDR_STRING));
 
     ResInfo = (PIPHLP_RES_INFO)RtlAllocateHeap ( GetProcessHeap(), 0, sizeof(IPHLP_RES_INFO));