The tables required for sorting are huge, and I would expect them to be
pageable. There is no need to use the CompareString if equality is all
that is required, bearing in mind that some characters that have aliased
codes in Unicode, such as “.”, might compare as “equal” under the “compare
Unicode string” function and “not equal” under the “compare memory”
option. Note that the “Code Red” exploit used this technique to bypass
the checking for “…” in the cgi path, thus allowing the exploit to escape
confinement. The “…” it checked for was by looking for two of the Page
00 “.” characters (U002E, if I remember my codes right, which might not be
the case…), so the exploit used a dot character from another Unicode
page, which was not seen as “…” by the checking software, but WAS seen as
“…” by the rest of the file system, hence the ability to break out of the
sandbox.
joe
>If I can guarantee that the buffers for my UNICODE_STRING are
> NonPagedPool,
>can I get away with >calling RtlCompareUnicodeString? Or is it more that
>the RtlCompareUnicodeString routine itself might >be paged out?The routine may be paged out but also the character tables are said to
reside in paged memory. If you don’t need this for sorting but use this
only
to check if two strings are equal, instead of using
RtlCompareUnicodeString,
consider using RtlCompareMemory on the non paged buffers instead.//Daniel
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer