[IP] Avoid use-after-free of IPDATAGRAM_REASSEMBLY structures. By Roel Messiant. CORE-11889

svn path=/trunk/; revision=72672
2024-06-30 18:01:07 +00:00 · 2016-09-14 10:09:02 +00:00 · 2016-09-14 10:09:02 +00:00 · 7d478eb667
parent d87e3543c1
commit 7d478eb667
1 changed files with 5 additions and 3 deletions
--- a/reactos/sdk/lib/drivers/ip/network/receive.c
+++ b/reactos/sdk/lib/drivers/ip/network/receive.c
@ -489,21 +489,23 @@ VOID IPFreeReassemblyList(
 */
 {
  KIRQL OldIrql;
-  PLIST_ENTRY CurrentEntry;
+  PLIST_ENTRY CurrentEntry, NextEntry;
  PIPDATAGRAM_REASSEMBLY Current;

  TcpipAcquireSpinLock(&ReassemblyListLock, &OldIrql);

  CurrentEntry = ReassemblyListHead.Flink;
  while (CurrentEntry != &ReassemblyListHead) {
-	  Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY, ListEntry);
+    NextEntry = CurrentEntry->Flink;
+    Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY, ListEntry);
+
    /* Unlink it from the list */
    RemoveEntryList(CurrentEntry);

    /* And free the descriptor */
    FreeIPDR(Current);

-    CurrentEntry = CurrentEntry->Flink;
+    CurrentEntry = NextEntry;
  }

  TcpipReleaseSpinLock(&ReassemblyListLock, OldIrql);