[ros-bugs] [Bug 3513] New: Kernel crash when creating 4100th handle

[ReactOS.Bugzilla at www.reactos.org]

http://www.reactos.org/bugzilla/show_bug.cgi?id=3513

           Summary: Kernel crash when creating 4100th handle
           Product: ReactOS
           Version: unspecified
          Platform: QEmu
        OS/Version: ReactOS
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: Kernel
        AssignedTo: ros-bugs at reactos.org
        ReportedBy: stefan__100__ at hotmail.com
         QAContact: ros-bugs at reactos.org


When a process creates a 4100th handle, the kernel crashes in
ntoskrnl/ex/handle.c at line 750 due to dereferencing 0x0000000C.

The line, which is in function ExpAllocateHandleTableEntry, is this:

NewValue = *(volatile ULONG*)&Entry->NextFreeTableEntry;

However, note that "Entry" isn't NULL but 0x8.
We retreive "Entry" at line 733 by calling ExpLookupHandleTableEntry.

(Note that there is an unrelated bug here -- we don't test if Entry returned
from ExpLookupHandleTableEntry is NULL. We should and fail in that case by
returning NULL.)

In ExpLookupHandleTableEntry, we get the bad Entry at line 83 in "case 1:".


Everytime I received an Entry with the value 0x8, variables had the following
values:

LookupHandle.Value is 4100
Handle.Value is 4096

Level1 is 0
Level2 is 0x8D2F7000


i is 4l
j is 8l


Obviously, something is wrong with Level1, but I was unable to examine further
due to lack of understanding of our handle table.


NOTE: Line numbers are relative to revision 34440 (current trunk).


-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.