From: Hartmut Birr <osexpert@googlemail.com>
Date: Mon, 14 Nov 2005 17:46:00 +0000 (+0000)
Subject: Fixed a few length calculation in NtEnumerateValueKey, which has resulted in a overfl... 
X-Git-Tag: backups/ros-branch-0_2_9@19949~680
X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=69b13c4f41c9c2a45bc6970b185b8c0a76666981

Fixed a few length calculation in NtEnumerateValueKey, which has resulted in a overflow, if the given buffer was too small.

svn path=/trunk/; revision=19227
---

diff --git a/reactos/ntoskrnl/cm/ntfunc.c b/reactos/ntoskrnl/cm/ntfunc.c
index d841de2c3c7..57d5761e8fc 100644
--- a/reactos/ntoskrnl/cm/ntfunc.c
+++ b/reactos/ntoskrnl/cm/ntfunc.c
@@ -1135,18 +1135,16 @@ NtEnumerateValueKey(IN HANDLE KeyHandle,
                   ROUND_UP(ValueFullInformation->DataOffset, sizeof(PVOID));
               ValueFullInformation->DataLength = ValueCell->DataSize & REG_DATA_SIZE_MASK;
 
-	      if (Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, Name[0]) <
-	          NameSize)
+              if (Length < ValueFullInformation->DataOffset)
 	        {
 	          NameSize = Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, Name[0]);
 	          DataSize = 0;
 	          Status = STATUS_BUFFER_OVERFLOW;
 	          CHECKPOINT;
 	        }
-              else if (ROUND_UP(Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION,
-                       Name[0]) - NameSize, sizeof(PVOID)) < DataSize)
+              else if (Length - ValueFullInformation->DataOffset < DataSize) 
 	        {
-	          DataSize = ROUND_UP(Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, Name[0]) - NameSize, sizeof(PVOID));
+	          DataSize = Length - ValueFullInformation->DataOffset;
 	          Status = STATUS_BUFFER_OVERFLOW;
 	          CHECKPOINT;
 	        }