mirror of
https://github.com/reactos/reactos.git
synced 2024-08-04 18:40:59 +00:00
[LWIP]
- Fix a buffer overflow when the packet queue has more packets than the receive request can take - Remove an extra variable svn path=/trunk/; revision=53188
This commit is contained in:
parent
5bf224e84b
commit
6fbcf9c9ea
|
@ -83,11 +83,10 @@ NTSTATUS LibTCPGetDataFromConnectionQueue(PCONNECTION_ENDPOINT Connection, PUCHA
|
||||||
PQUEUE_ENTRY qp;
|
PQUEUE_ENTRY qp;
|
||||||
struct pbuf* p;
|
struct pbuf* p;
|
||||||
NTSTATUS Status = STATUS_PENDING;
|
NTSTATUS Status = STATUS_PENDING;
|
||||||
UINT ReadLength, ExistingDataLength, SpaceLeft;
|
UINT ReadLength, ExistingDataLength;
|
||||||
KIRQL OldIrql;
|
KIRQL OldIrql;
|
||||||
|
|
||||||
(*Received) = 0;
|
(*Received) = 0;
|
||||||
SpaceLeft = RecvLen;
|
|
||||||
|
|
||||||
LockObject(Connection, &OldIrql);
|
LockObject(Connection, &OldIrql);
|
||||||
|
|
||||||
|
@ -100,7 +99,7 @@ NTSTATUS LibTCPGetDataFromConnectionQueue(PCONNECTION_ENDPOINT Connection, PUCHA
|
||||||
|
|
||||||
Status = STATUS_SUCCESS;
|
Status = STATUS_SUCCESS;
|
||||||
|
|
||||||
ReadLength = MIN(p->tot_len, SpaceLeft);
|
ReadLength = MIN(p->tot_len, RecvLen);
|
||||||
if (ReadLength != p->tot_len)
|
if (ReadLength != p->tot_len)
|
||||||
{
|
{
|
||||||
if (ExistingDataLength)
|
if (ExistingDataLength)
|
||||||
|
@ -128,7 +127,7 @@ NTSTATUS LibTCPGetDataFromConnectionQueue(PCONNECTION_ENDPOINT Connection, PUCHA
|
||||||
|
|
||||||
LockObject(Connection, &OldIrql);
|
LockObject(Connection, &OldIrql);
|
||||||
|
|
||||||
SpaceLeft -= ReadLength;
|
RecvLen -= ReadLength;
|
||||||
|
|
||||||
/* Use this special pbuf free callback function because we're outside tcpip thread */
|
/* Use this special pbuf free callback function because we're outside tcpip thread */
|
||||||
pbuf_free_callback(qp->p);
|
pbuf_free_callback(qp->p);
|
||||||
|
@ -208,6 +207,8 @@ InternalRecvEventHandler(void *arg, PTCP_PCB pcb, struct pbuf *p, const err_t er
|
||||||
return ERR_OK;
|
return ERR_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ASSERT(!LibTCPDequeuePacket(Connection));
|
||||||
|
|
||||||
if (p)
|
if (p)
|
||||||
{
|
{
|
||||||
len = TCPRecvEventHandler(arg, p);
|
len = TCPRecvEventHandler(arg, p);
|
||||||
|
|
Loading…
Reference in a new issue