projects / reactos.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 88f7be1)
[NTFS] Fix use after free in failure case of NtfsMountVolume.
authorThomas Faber <thomas.faber@reactos.org>
Sat, 11 Jan 2020 13:08:20 +0000 (14:08 +0100)
committerThomas Faber <thomas.faber@reactos.org>
Sat, 11 Jan 2020 13:10:55 +0000 (14:10 +0100)
NtfsGetVolumeData frees FileRecLookasideList in case of failure, so don't
free it again.
Dereferencing NewDeviceObject invalidates Vcb.

drivers/filesystems/ntfs/fsctl.c patch | blob | history

diff --git a/drivers/filesystems/ntfs/fsctl.c b/drivers/filesystems/ntfs/fsctl.c
index a8c2a42..a08a227 100644 (file)
--- a/drivers/filesystems/ntfs/fsctl.c
+++ b/drivers/filesystems/ntfs/fsctl.c
@@ -452,8 +452,6 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
     if (!NT_SUCCESS(Status))
         goto ByeBye;
 
-    Lookaside = TRUE;
-
     NewDeviceObject->Flags |= DO_DIRECT_IO;
     Vcb = (PVOID)NewDeviceObject->DeviceExtension;
     RtlZeroMemory(Vcb, sizeof(NTFS_VCB));
@@ -466,6 +464,8 @@ NtfsMountVolume(PDEVICE_OBJECT DeviceObject,
     if (!NT_SUCCESS(Status))
         goto ByeBye;
 
+    Lookaside = TRUE;
+
     NewDeviceObject->Vpb = DeviceToMount->Vpb;
 
     Vcb->StorageDevice = DeviceToMount;
@@ -564,11 +564,11 @@ ByeBye:
         if (Ccb)
             ExFreePool(Ccb);
 
-        if (NewDeviceObject)
-            IoDeleteDevice(NewDeviceObject);
-
         if (Lookaside)
             ExDeleteNPagedLookasideList(&Vcb->FileRecLookasideList);
+
+        if (NewDeviceObject)
+            IoDeleteDevice(NewDeviceObject);
     }
 
     DPRINT("NtfsMountVolume() done (Status: %lx)\n", Status);
A free Windows-compatible Operating System