Fix heap corruption in co-installer

The co-installer was corrupting its heap by trying to free a pointer after
incrementing it from its original value.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>

diff --git a/src/coinst/coinst.c b/src/coinst/coinst.c
index 27d3211282f10ee7f738f6a3a1f1c0dacba71dc8..59726f58c36ddeab9b9b2dcb7fe8f3960380fa39 100644 (file)
--- a/src/coinst/coinst.c
+++ b/src/coinst/coinst.c
@@ -1132,6 +1132,7 @@ MatchExistingDriver(
     DWORD   MaxValueLength;
     DWORD   DriverDescLength;
     PTCHAR  DriverDesc = NULL;
+    DWORD   ProductNameLength;
     DWORD   Type;
 
     // Look for a legacy platform device
@@ -1213,16 +1214,17 @@ found:
         goto fail9;
     }
 
+    ProductNameLength = (DWORD)strlen(PRODUCT_NAME_STR);
+
     if (strncmp(DriverDesc,
                 PRODUCT_NAME_STR,
-                strlen(PRODUCT_NAME_STR)) != 0) {
+                ProductNameLength) != 0) {
         SetLastError(ERROR_INSTALL_FAILURE);
         goto fail10;
     }
 
-    DriverDesc += strlen(PRODUCT_NAME_STR);
-
-    if (strcmp(DriverDesc, " PV Bus") != 0) {
+    if (strcmp(DriverDesc + ProductNameLength,
+               " PV Bus") != 0) {
         SetLastError(ERROR_INSTALL_FAILURE);
         goto fail11;
     }

diff --git a/src/xenbus.inf b/src/xenbus.inf
index fe01c792187af66a8bfc859fc53e4355128bfa9a..544bb2c43fc0f31fe5ab98aa3278554eabc390c8 100644 (file)
--- a/src/xenbus.inf
+++ b/src/xenbus.inf
@@ -72,8 +72,8 @@ xenbus_coinst_@MAJOR_VERSION@_@MINOR_VERSION@_@MICRO_VERSION@_@BUILD_NUMBER@.dll
 CopyFiles=XenBus_Copyfiles
 
 [XenBus_Inst.Services] 
-AddService=xenfilt,,XenFilt_Service,
 AddService=xenbus,0x02,XenBus_Service,
+AddService=xenfilt,,XenFilt_Service,
 
 [XenBus_Service] 
 DisplayName=%XenBusDesc%