From a80552f8a9c56c719e44d3c2c68ad23f2b7f8a97 Mon Sep 17 00:00:00 2001 From: Dmitry Gorbachev Date: Mon, 7 Dec 2009 01:30:32 +0000 Subject: [PATCH] Avoid buffer overflow (bug #4693). svn path=/trunk/; revision=44449 --- reactos/dll/win32/msafd/misc/dllmain.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/reactos/dll/win32/msafd/misc/dllmain.c b/reactos/dll/win32/msafd/misc/dllmain.c index 9c10829c70c..3638795c6cd 100644 --- a/reactos/dll/win32/msafd/misc/dllmain.c +++ b/reactos/dll/win32/msafd/misc/dllmain.c @@ -560,25 +560,31 @@ WSPBind(SOCKET Handle, PAFD_BIND_DATA BindData; PSOCKET_INFORMATION Socket = NULL; NTSTATUS Status; - UCHAR BindBuffer[0x1A]; SOCKADDR_INFO SocketInfo; HANDLE SockEvent; + /* See below */ + BindData = HeapAlloc(GlobalHeap, 0, 0xA + SocketAddressLength); + if (!BindData) + { + return MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL); + } + Status = NtCreateEvent(&SockEvent, GENERIC_READ | GENERIC_WRITE, NULL, 1, FALSE); - if( !NT_SUCCESS(Status) ) - return -1; + if (!NT_SUCCESS(Status)) + { + HeapFree(GlobalHeap, 0, BindData); + return SOCKET_ERROR; + } /* Get the Socket Structure associate to this Socket*/ Socket = GetSocketStructure(Handle); - /* Dynamic Structure...ugh */ - BindData = (PAFD_BIND_DATA)BindBuffer; - /* Set up Address in TDI Format */ BindData->Address.TAAddressCount = 1; BindData->Address.Address[0].AddressLength = SocketAddressLength - sizeof(SocketAddress->sa_family); @@ -633,9 +639,9 @@ WSPBind(SOCKET Handle, Socket->SharedData.State = SocketBound; Socket->TdiAddressHandle = (HANDLE)IOSB.Information; - NtClose( SockEvent ); - - return MsafdReturnWithErrno ( Status, lpErrno, 0, NULL ); + NtClose(SockEvent); + HeapFree(GlobalHeap, 0, BindData); + return MsafdReturnWithErrno(Status, lpErrno, 0, NULL); } int -- 2.17.1