From 103e282d2dc21fb8cf842d1c91cdbfaa5623b82a Mon Sep 17 00:00:00 2001
From: Pierre Schweitzer <pierre@reactos.org>
Date: Sun, 21 Jun 2015 05:40:15 +0000
Subject: [PATCH] [NTOSKRNL] Don't trust the user! Probe buffers in
 NtSetSystemInformation - SystemSessionCreate and in NtSetSystemInformation -
 SystemSessionDetach

svn path=/trunk/; revision=68221
---
 reactos/ntoskrnl/ex/sysinfo.c | 39 ++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/reactos/ntoskrnl/ex/sysinfo.c b/reactos/ntoskrnl/ex/sysinfo.c
index cd88b2256bb..cfa46a3f7fc 100644
--- a/reactos/ntoskrnl/ex/sysinfo.c
+++ b/reactos/ntoskrnl/ex/sysinfo.c
@@ -2068,10 +2068,31 @@ SSI_DEF(SystemSessionCreate)
         {
             return STATUS_PRIVILEGE_NOT_HELD;
         }
+
+        _SEH2_TRY
+        {
+            ProbeForWriteUlong(Buffer);
+        }
+        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+        {
+            _SEH2_YIELD(return _SEH2_GetExceptionCode());
+        }
+        _SEH2_END;
     }
 
     Status = MmSessionCreate(&SessionId);
-    if (NT_SUCCESS(Status)) *(PULONG)Buffer = SessionId;
+    if (NT_SUCCESS(Status))
+    {
+        _SEH2_TRY
+        {
+            *(PULONG)Buffer = SessionId;
+        }
+        _SEH2_EXCEPT(ExSystemExceptionFilter())
+        {
+            Status = _SEH2_GetExceptionCode();
+        }
+        _SEH2_END;
+    }
 
     return Status;
 }
@@ -2091,9 +2112,21 @@ SSI_DEF(SystemSessionDetach)
         {
             return STATUS_PRIVILEGE_NOT_HELD;
         }
-    }
 
-    SessionId = *(PULONG)Buffer;
+        _SEH2_TRY
+        {
+            SessionId = ProbeForReadUlong(Buffer);
+        }
+        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+        {
+            _SEH2_YIELD(return _SEH2_GetExceptionCode());
+        }
+        _SEH2_END;
+    }
+    else
+    {
+        SessionId = *(PULONG)Buffer;
+    }
 
     return MmSessionDelete(SessionId);
 }
-- 
2.17.1