mirror of
https://github.com/reactos/reactos.git
synced 2025-08-05 15:23:03 +00:00
- Fix a handle leak
- Fix a potential NULL pointer dereference if ExAllocatePool fails - Fix a potential NULL pointer dereference that causes AFD to crash when the socket is closed with waiting send IRPs - Fix another NULL pointer dereference if NdisOpenConfiguration fails - Move ASSERT before accessing Status - Add some sanity checks - Most of these were found by Amine Khaldi svn path=/trunk/; revision=42659
This commit is contained in:
Cameron Gutman
parent
2bddd27873
commit
42e498c4b0
8 changed files with 20 additions and 18 deletions
|
|
@ -207,7 +207,6 @@ AfdSelect( PDEVICE_OBJECT DeviceObject, PIRP Irp,
|
||||||
|
|
||||||
if( (FCB->PollState & AFD_EVENT_CLOSE) ||
|
if( (FCB->PollState & AFD_EVENT_CLOSE) ||
|
||||||
(PollReq->Handles[i].Status & AFD_EVENT_CLOSE) ) {
|
(PollReq->Handles[i].Status & AFD_EVENT_CLOSE) ) {
|
||||||
AFD_HANDLES(PollReq)[i].Handle = 0;
|
|
||||||
PollReq->Handles[i].Events = 0;
|
PollReq->Handles[i].Events = 0;
|
||||||
PollReq->Handles[i].Status = AFD_EVENT_CLOSE;
|
PollReq->Handles[i].Status = AFD_EVENT_CLOSE;
|
||||||
Signalled++;
|
Signalled++;
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,8 @@ VOID TaCopyAddressInPlace( PTA_ADDRESS Target,
|
||||||
PTA_ADDRESS TaCopyAddress( PTA_ADDRESS Source ) {
|
PTA_ADDRESS TaCopyAddress( PTA_ADDRESS Source ) {
|
||||||
UINT AddrLen = TaLengthOfAddress( Source );
|
UINT AddrLen = TaLengthOfAddress( Source );
|
||||||
PVOID Buffer = ExAllocatePool( NonPagedPool, AddrLen );
|
PVOID Buffer = ExAllocatePool( NonPagedPool, AddrLen );
|
||||||
RtlCopyMemory( Buffer, Source, AddrLen );
|
if (Buffer)
|
||||||
|
RtlCopyMemory( Buffer, Source, AddrLen );
|
||||||
return Buffer;
|
return Buffer;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,8 @@ static NTSTATUS NTAPI SendComplete
|
||||||
while( !IsListEmpty( &FCB->PendingIrpList[FUNCTION_SEND] ) ) {
|
while( !IsListEmpty( &FCB->PendingIrpList[FUNCTION_SEND] ) ) {
|
||||||
NextIrpEntry = RemoveHeadList(&FCB->PendingIrpList[FUNCTION_SEND]);
|
NextIrpEntry = RemoveHeadList(&FCB->PendingIrpList[FUNCTION_SEND]);
|
||||||
NextIrp = CONTAINING_RECORD(NextIrpEntry, IRP, Tail.Overlay.ListEntry);
|
NextIrp = CONTAINING_RECORD(NextIrpEntry, IRP, Tail.Overlay.ListEntry);
|
||||||
|
NextIrpSp = IoGetCurrentIrpStackLocation( NextIrp );
|
||||||
|
SendReq = NextIrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
|
||||||
NextIrp->IoStatus.Status = STATUS_FILE_CLOSED;
|
NextIrp->IoStatus.Status = STATUS_FILE_CLOSED;
|
||||||
NextIrp->IoStatus.Information = 0;
|
NextIrp->IoStatus.Information = 0;
|
||||||
UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, FALSE);
|
UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, FALSE);
|
||||||
|
|
|
||||||
|
|
@ -1850,6 +1850,12 @@ NdisIPnPStartDevice(
|
||||||
*/
|
*/
|
||||||
|
|
||||||
NdisOpenConfiguration(&NdisStatus, &ConfigHandle, (NDIS_HANDLE)&WrapperContext);
|
NdisOpenConfiguration(&NdisStatus, &ConfigHandle, (NDIS_HANDLE)&WrapperContext);
|
||||||
|
if (NdisStatus != NDIS_STATUS_SUCCESS)
|
||||||
|
{
|
||||||
|
NDIS_DbgPrint(MIN_TRACE, ("Failed to open configuration key\n"));
|
||||||
|
ExInterlockedRemoveEntryList( &Adapter->ListEntry, &AdapterListLock );
|
||||||
|
return NdisStatus;
|
||||||
|
}
|
||||||
|
|
||||||
Size = sizeof(ULONG);
|
Size = sizeof(ULONG);
|
||||||
Status = IoGetDeviceProperty(Adapter->NdisMiniportBlock.PhysicalDeviceObject,
|
Status = IoGetDeviceProperty(Adapter->NdisMiniportBlock.PhysicalDeviceObject,
|
||||||
|
|
|
||||||
|
|
@ -237,11 +237,11 @@ NdisOpenFile(
|
||||||
|
|
||||||
NDIS_DbgPrint(MAX_TRACE, ("Called.\n"));
|
NDIS_DbgPrint(MAX_TRACE, ("Called.\n"));
|
||||||
|
|
||||||
|
ASSERT ( Status && FileName );
|
||||||
|
|
||||||
*Status = NDIS_STATUS_SUCCESS;
|
*Status = NDIS_STATUS_SUCCESS;
|
||||||
FullFileName.Buffer = NULL;
|
FullFileName.Buffer = NULL;
|
||||||
|
|
||||||
ASSERT ( Status && FileName );
|
|
||||||
|
|
||||||
FullFileName.Length = sizeof(NDIS_FILE_FOLDER);
|
FullFileName.Length = sizeof(NDIS_FILE_FOLDER);
|
||||||
FullFileName.MaximumLength = FileName->MaximumLength + sizeof(NDIS_FILE_FOLDER);
|
FullFileName.MaximumLength = FileName->MaximumLength + sizeof(NDIS_FILE_FOLDER);
|
||||||
FullFileName.Buffer = ExAllocatePool ( NonPagedPool, FullFileName.MaximumLength );
|
FullFileName.Buffer = ExAllocatePool ( NonPagedPool, FullFileName.MaximumLength );
|
||||||
|
|
|
||||||
|
|
@ -582,10 +582,7 @@ NTSTATUS DispTdiListen(
|
||||||
|
|
||||||
TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile: %x\n",
|
TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile: %x\n",
|
||||||
Connection->AddressFile ));
|
Connection->AddressFile ));
|
||||||
if( Connection->AddressFile ) {
|
ASSERT(Connection->AddressFile);
|
||||||
TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile->Listener: %x\n",
|
|
||||||
Connection->AddressFile->Listener));
|
|
||||||
}
|
|
||||||
|
|
||||||
Status = DispPrepareIrpForCancel
|
Status = DispPrepareIrpForCancel
|
||||||
(TranContext->Handle.ConnectionContext,
|
(TranContext->Handle.ConnectionContext,
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@ TDI_STATUS InfoCopyOut( PCHAR DataOut, UINT SizeOut,
|
||||||
|
|
||||||
/* The driver returns success even when it couldn't fit every available
|
/* The driver returns success even when it couldn't fit every available
|
||||||
* byte. */
|
* byte. */
|
||||||
if( RememberedCBSize < SizeOut )
|
if( RememberedCBSize < SizeOut || !ClientBuf )
|
||||||
return TDI_SUCCESS;
|
return TDI_SUCCESS;
|
||||||
else {
|
else {
|
||||||
CopyBufferToBufferChain( ClientBuf, 0, (PCHAR)DataOut, SizeOut );
|
CopyBufferToBufferChain( ClientBuf, 0, (PCHAR)DataOut, SizeOut );
|
||||||
|
|
@ -99,7 +99,7 @@ TDI_STATUS InfoTdiQueryListEntities(PNDIS_BUFFER Buffer,
|
||||||
|
|
||||||
TI_DbgPrint(DEBUG_INFO,("BufSize: %d, NeededSize: %d\n", BufSize, Size));
|
TI_DbgPrint(DEBUG_INFO,("BufSize: %d, NeededSize: %d\n", BufSize, Size));
|
||||||
|
|
||||||
if (BufSize < Size)
|
if (BufSize < Size || !Buffer)
|
||||||
{
|
{
|
||||||
TcpipReleaseSpinLock( &EntityListLock, OldIrql );
|
TcpipReleaseSpinLock( &EntityListLock, OldIrql );
|
||||||
/* The buffer is too small to contain requested data, but we return
|
/* The buffer is too small to contain requested data, but we return
|
||||||
|
|
|
||||||
|
|
@ -91,20 +91,17 @@ TDI_STATUS InfoTdiQueryGetRouteTable( PNDIS_BUFFER Buffer, PUINT BufferSize ) {
|
||||||
RtCount = CopyFIBs( RCache );
|
RtCount = CopyFIBs( RCache );
|
||||||
|
|
||||||
while( RtCurrent < RouteEntries + RtCount ) {
|
while( RtCurrent < RouteEntries + RtCount ) {
|
||||||
/* Copy Desitnation */
|
ASSERT(RCacheCur->Router);
|
||||||
|
|
||||||
RtlCopyMemory( &RtCurrent->Dest,
|
RtlCopyMemory( &RtCurrent->Dest,
|
||||||
&RCacheCur->NetworkAddress.Address,
|
&RCacheCur->NetworkAddress.Address,
|
||||||
sizeof(RtCurrent->Dest) );
|
sizeof(RtCurrent->Dest) );
|
||||||
RtlCopyMemory( &RtCurrent->Mask,
|
RtlCopyMemory( &RtCurrent->Mask,
|
||||||
&RCacheCur->Netmask.Address,
|
&RCacheCur->Netmask.Address,
|
||||||
sizeof(RtCurrent->Mask) );
|
sizeof(RtCurrent->Mask) );
|
||||||
|
RtlCopyMemory( &RtCurrent->Gw,
|
||||||
if( RCacheCur->Router )
|
&RCacheCur->Router->Address.Address,
|
||||||
RtlCopyMemory( &RtCurrent->Gw,
|
sizeof(RtCurrent->Gw) );
|
||||||
&RCacheCur->Router->Address.Address,
|
|
||||||
sizeof(RtCurrent->Gw) );
|
|
||||||
else
|
|
||||||
RtlZeroMemory( &RtCurrent->Gw, sizeof(RtCurrent->Gw) );
|
|
||||||
|
|
||||||
RtCurrent->Metric1 = RCacheCur->Metric;
|
RtCurrent->Metric1 = RCacheCur->Metric;
|
||||||
RtCurrent->Type = TDI_ADDRESS_TYPE_IP;
|
RtCurrent->Type = TDI_ADDRESS_TYPE_IP;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue