Skip to content

Commit aa8d624

Browse files
committed
[SMSS] "BootDir" value creation: Fix fallback code
Addendum to commit c498d09. `SmpTranslateSystemPartitionInformation()`: Reset the `DirInfo->Name.Buffer` to use the `DirInfoBuffer` scratch area, before doing the OS boot drive letter fallback. Otherwise, writing directly to `DirInfo->Name.Buffer` would use its old value, that is going to be `NULL` when the calls to `NtQueryDirectoryObject()` failed, and this would induce a memory access crash. Take also the opportunity to use structures embedding the `KEY_VALUE_PARTIAL_INFORMATION` and `OBJECT_DIRECTORY_INFORMATION` data headers, instead of straight `CHAR` arrays. This allows the structures to use the correct memory alignments required by these data headers.
1 parent e2c92c0 commit aa8d624

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

base/system/smss/sminit.c

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -811,16 +811,16 @@ NTAPI
811811
SmpTranslateSystemPartitionInformation(VOID)
812812
{
813813
NTSTATUS Status;
814-
UNICODE_STRING UnicodeString, LinkTarget, SearchString, SystemPartition;
814+
UNICODE_STRING UnicodeString, LinkTarget, SymLinkU, SystemPartition;
815815
OBJECT_ATTRIBUTES ObjectAttributes;
816816
HANDLE KeyHandle, LinkHandle;
817817
ULONG Length, Context;
818818
size_t StrLength;
819819
WCHAR LinkBuffer[MAX_PATH];
820-
CHAR ValueBuffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + 512];
821-
PKEY_VALUE_PARTIAL_INFORMATION PartialInfo = (PVOID)ValueBuffer;
822-
CHAR DirInfoBuffer[sizeof(OBJECT_DIRECTORY_INFORMATION) + 512];
823-
POBJECT_DIRECTORY_INFORMATION DirInfo = (PVOID)DirInfoBuffer;
820+
struct { KEY_VALUE_PARTIAL_INFORMATION; CHAR Buffer[512]; } ValueBuffer;
821+
struct { OBJECT_DIRECTORY_INFORMATION; WCHAR Buffer[256]; } DirInfoBuffer;
822+
PKEY_VALUE_PARTIAL_INFORMATION PartialInfo = (PVOID)&ValueBuffer;
823+
POBJECT_DIRECTORY_INFORMATION DirInfo = (PVOID)&DirInfoBuffer;
824824

825825
/* Open the setup key */
826826
RtlInitUnicodeString(&UnicodeString, L"\\Registry\\Machine\\System\\Setup");
@@ -841,7 +841,7 @@ SmpTranslateSystemPartitionInformation(VOID)
841841
Status = NtQueryValueKey(KeyHandle,
842842
&UnicodeString,
843843
KeyValuePartialInformation,
844-
PartialInfo,
844+
&ValueBuffer,
845845
sizeof(ValueBuffer),
846846
&Length);
847847
NtClose(KeyHandle);
@@ -863,10 +863,10 @@ SmpTranslateSystemPartitionInformation(VOID)
863863
SystemPartition.Length = (USHORT)StrLength;
864864

865865
/* Enumerate the directory looking for the symbolic link string */
866-
RtlInitUnicodeString(&SearchString, L"SymbolicLink");
866+
RtlInitUnicodeString(&SymLinkU, L"SymbolicLink");
867867
RtlInitEmptyUnicodeString(&LinkTarget, LinkBuffer, sizeof(LinkBuffer));
868868
Status = NtQueryDirectoryObject(SmpDosDevicesObjectDirectory,
869-
DirInfo,
869+
&DirInfoBuffer,
870870
sizeof(DirInfoBuffer),
871871
TRUE,
872872
TRUE,
@@ -876,7 +876,7 @@ SmpTranslateSystemPartitionInformation(VOID)
876876
while (NT_SUCCESS(Status))
877877
{
878878
/* Is this it? */
879-
if (RtlEqualUnicodeString(&DirInfo->TypeName, &SearchString, TRUE) &&
879+
if (RtlEqualUnicodeString(&DirInfo->TypeName, &SymLinkU, TRUE) &&
880880
(DirInfo->Name.Length == 2 * sizeof(WCHAR)) &&
881881
(DirInfo->Name.Buffer[1] == L':'))
882882
{
@@ -911,7 +911,7 @@ SmpTranslateSystemPartitionInformation(VOID)
911911

912912
/* Couldn't find it, try again */
913913
Status = NtQueryDirectoryObject(SmpDosDevicesObjectDirectory,
914-
DirInfo,
914+
&DirInfoBuffer,
915915
sizeof(DirInfoBuffer),
916916
TRUE,
917917
FALSE,
@@ -928,6 +928,7 @@ SmpTranslateSystemPartitionInformation(VOID)
928928
* NOTE: This has been introduced in a post-SP1 Windows 7 update. */
929929
if (Status != STATUS_NO_MORE_ENTRIES)
930930
return;
931+
DirInfo->Name.Buffer = DirInfoBuffer.Buffer;
931932
DirInfo->Name.Buffer[0] = SharedUserData->NtSystemRoot[0];
932933
DirInfo->Name.Buffer[1] = SharedUserData->NtSystemRoot[1]; // == L':';
933934
#else

0 commit comments

Comments
 (0)