https://git.reactos.org/?p=reactos.git;a=commitdiff;h=8d91d4c8e1907ca50c3489e8f4868cf5827f1d5c
commit 8d91d4c8e1907ca50c3489e8f4868cf5827f1d5c
Author: Hermès Bélusca-Maïto <hermes.belusca-ma...@reactos.org>
AuthorDate: Tue Jan 28 14:45:15 2025 +0100
Commit: Hermès Bélusca-Maïto <hermes.belusca-ma...@reactos.org>
CommitDate: Tue Jan 28 15:29:40 2025 +0100
[MOUNTMGR] MountMgrMountedDeviceArrival(): Fix pool buffer double-free.
`DeviceInformation->DeviceName.Buffer` was already freed via the previous
`FreePool(TargetDeviceName.Buffer);` call,
since `DeviceInformation->DeviceName` was set to `TargetDeviceName` above
in the code. This resulted in a pool double-free, triggering a corruption
of the pool, and a BSoD.
What had to be freed instead, is `DeviceInformation->SymbolicName.Buffer`
that is allocated at the beginning of the function.
---
drivers/storage/mountmgr/mountmgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/storage/mountmgr/mountmgr.c
b/drivers/storage/mountmgr/mountmgr.c
index 4e1552791bc..6603df3f53b 100644
--- a/drivers/storage/mountmgr/mountmgr.c
+++ b/drivers/storage/mountmgr/mountmgr.c
@@ -995,7 +995,7 @@ MountMgrMountedDeviceArrival(IN PDEVICE_EXTENSION
DeviceExtension,
FreePool(UniqueId);
FreePool(TargetDeviceName.Buffer);
- FreePool(DeviceInformation->DeviceName.Buffer);
+ FreePool(DeviceInformation->SymbolicName.Buffer);
FreePool(DeviceInformation);
KeReleaseSemaphore(&(DeviceExtension->DeviceLock), IO_NO_INCREMENT, 1,
FALSE);
