From d6aa6536482efa719a44a757ea2622cad86f1e23 Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Mon, 25 Aug 2014 22:53:08 +0200
Subject: Windows vulnerability fix : avoid kernel pointer disclosure through a
 call to TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG but restricting this call to
 Kernel Mode.

---
 src/Driver/Ntdriver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/Driver')

diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 9574483b..ce4ebf51 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -1504,7 +1504,9 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 		break;
 
 	case TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG:
-		if (ValidateIOBufferSize (Irp, sizeof (GetSystemDriveDumpConfigRequest), ValidateOutput))
+		if (	(ValidateIOBufferSize (Irp, sizeof (GetSystemDriveDumpConfigRequest), ValidateOutput))
+			&&	(Irp->RequestorMode == KernelMode)
+			)
 		{
 			GetSystemDriveDumpConfigRequest *request = (GetSystemDriveDumpConfigRequest *) Irp->AssociatedIrp.SystemBuffer;
 
-- 
cgit v1.2.3