[ros-diffs] [cgutman] 40300: - Validate the output buffer size before writing to it - Fix some potential memory leaks - Lock the FCB in AfdCloseSocket
cgutman at svn.reactos.org
cgutman at svn.reactos.org
Tue Mar 31 00:20:13 CEST 2009
Author: cgutman
Date: Tue Mar 31 02:20:12 2009
New Revision: 40300
URL: http://svn.reactos.org/svn/reactos?rev=40300&view=rev
Log:
- Validate the output buffer size before writing to it
- Fix some potential memory leaks
- Lock the FCB in AfdCloseSocket
Modified:
trunk/reactos/drivers/network/afd/afd/info.c
trunk/reactos/drivers/network/afd/afd/listen.c
trunk/reactos/drivers/network/afd/afd/main.c
Modified: trunk/reactos/drivers/network/afd/afd/info.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/info.c?rev=40300&r1=40299&r2=40300&view=diff
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/info.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/info.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -154,8 +154,10 @@
if (NT_SUCCESS(Status))
{
- RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress, TaLengthOfTransportAddress
- (ConnInfo->RemoteAddress));
+ if (IrpSp->Parameters.DeviceIoControl.OutputBufferLength >= TaLengthOfTransportAddress(ConnInfo->RemoteAddress))
+ RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress, TaLengthOfTransportAddress(ConnInfo->RemoteAddress));
+ else
+ Status = STATUS_BUFFER_TOO_SMALL;
}
}
}
Modified: trunk/reactos/drivers/network/afd/afd/listen.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/listen.c?rev=40300&r1=40299&r2=40300&view=diff
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -215,7 +215,21 @@
FCB->LocalAddress->Address[0].AddressType );
if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo )
+ {
+ if (FCB->ListenIrp.ConnectionReturnInfo)
+ {
+ ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+ FCB->ListenIrp.ConnectionReturnInfo = NULL;
+ }
+
+ if (FCB->ListenIrp.ConnectionCallInfo)
+ {
+ ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+ FCB->ListenIrp.ConnectionCallInfo = NULL;
+ }
+
return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+ }
FCB->State = SOCKET_STATE_LISTENING;
@@ -229,6 +243,9 @@
if( Status == STATUS_PENDING )
Status = STATUS_SUCCESS;
+
+ if (NT_SUCCESS(Status))
+ FCB->NeedsNewListen = FALSE;
AFD_DbgPrint(MID_TRACE,("Returning %x\n", Status));
return UnlockAndMaybeComplete( FCB, Status, Irp, 0 );
@@ -298,7 +315,21 @@
FCB->LocalAddress->Address[0].AddressType );
if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo )
+ {
+ if (FCB->ListenIrp.ConnectionReturnInfo)
+ {
+ ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+ FCB->ListenIrp.ConnectionReturnInfo = NULL;
+ }
+
+ if (FCB->ListenIrp.ConnectionCallInfo)
+ {
+ ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+ FCB->ListenIrp.ConnectionCallInfo = NULL;
+ }
+
return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+ }
Status = TdiListen( &FCB->ListenIrp.InFlightRequest,
FCB->Connection.Object,
Modified: trunk/reactos/drivers/network/afd/afd/main.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/main.c?rev=40300&r1=40299&r2=40300&view=diff
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -142,11 +142,14 @@
/* Allocate our backup buffer */
FCB->Recv.Window = ExAllocatePool( NonPagedPool, FCB->Recv.Size );
if( !FCB->Recv.Window ) Status = STATUS_NO_MEMORY;
- FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
- if( !FCB->Send.Window ) {
- if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
- Status = STATUS_NO_MEMORY;
- }
+ if( NT_SUCCESS(Status) )
+ {
+ FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
+ if( !FCB->Send.Window ) {
+ if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
+ Status = STATUS_NO_MEMORY;
+ }
+ }
/* A datagram socket is always sendable */
FCB->PollState |= AFD_EVENT_SEND;
PollReeval( FCB->DeviceExt, FCB->FileObject );
@@ -235,6 +238,8 @@
AFD_DbgPrint(MID_TRACE,
("AfdClose(DeviceObject %p Irp %p)\n", DeviceObject, Irp));
+ if( !SocketAcquireStateLock( FCB ) ) return LostSocket( Irp );
+
AFD_DbgPrint(MID_TRACE,("FCB %x\n", FCB));
FCB->PollState |= AFD_EVENT_CLOSE;
@@ -244,11 +249,13 @@
if( FCB->EventSelect ) ObDereferenceObject( FCB->EventSelect );
FileObject->FsContext = NULL;
+ SocketStateUnlock( FCB );
+
DestroySocket( FCB );
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
+ IoCompleteRequest(Irp, IO_NETWORK_INCREMENT);
AFD_DbgPrint(MID_TRACE, ("Returning success.\n"));
More information about the Ros-diffs
mailing list