services: Use a separate allocation for NotifyParamsArray[0].params.

The pointer might be freed by RPC NdrPointerFree, which will try to use a dedicated free call for the array elements, and fail. (cherry picked from commit 03aa9e13)

services: Use a separate allocation for NotifyParamsArray[0].params.
cbc1ba2d · Rémi Bernon · Alexandre Julliard · 40d54217 · cbc1ba2d
Commit cbc1ba2d authored Jan 24, 2023 by Rémi Bernon Committed by Alexandre Julliard Apr 19, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

rpc.c programs/services/rpc.c +8 -3

No files found.
--- a/programs/services/rpc.c
+++ b/programs/services/rpc.c
@@ -102,6 +102,8 @@ static void sc_notify_release(struct sc_notify_handle *notify)
    if (r == 0)
    {
        CloseHandle(notify->event);
+        if (notify->params_list)
+            free(notify->params_list->NotifyParamsArray[0].params);
        free(notify->params_list);
        free(notify);
    }
@@ -841,11 +843,14 @@ static void fill_notify(struct sc_notify_handle *notify, struct service_entry *s
    SC_RPC_NOTIFY_PARAMS_LIST *list;
    SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2 *cparams;
-    list = calloc(1, sizeof(SC_RPC_NOTIFY_PARAMS_LIST) + sizeof(SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2));
+    list = calloc(1, sizeof(SC_RPC_NOTIFY_PARAMS_LIST));
    if (!list)
        return;
+    if (!(cparams = calloc(1, sizeof(SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2))))
-    cparams = (SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2 *)(list + 1);
+    {
+        free(list);
+        return;
+    }
    cparams->dwNotifyMask = notify->notify_mask;
    fill_status_process(&cparams->ServiceStatus, service);