[TCPIP]

- Fix the overflow fix svn path=/trunk/; revision=54598
2024-06-30 09:50:07 +00:00 · 2011-12-05 03:51:01 +00:00 · 2011-12-05 03:51:01 +00:00 · b8680bd686
parent b855c23983
commit b8680bd686
2 changed files with 22 additions and 6 deletions
--- a/reactos/drivers/network/tcpip/include/receive.h
+++ b/reactos/drivers/network/tcpip/include/receive.h
@ -38,7 +38,7 @@ typedef struct IPDATAGRAM_REASSEMBLY {
    IP_ADDRESS DstAddr;          /* Destination address */
    UCHAR Protocol;              /* Internet Protocol number */
    USHORT Id;                   /* Identification number */
-    IP_HEADER IPv4Header;        /* Pointer to IP header */
+    PIP_HEADER IPv4Header;       /* Pointer to IP header */
    UINT HeaderSize;             /* Length of IP header */
    LIST_ENTRY FragmentListHead; /* IP fragment list */
    LIST_ENTRY HoleListHead;     /* IP datagram hole list */
--- a/reactos/lib/drivers/ip/network/receive.c
+++ b/reactos/lib/drivers/ip/network/receive.c
@ -108,6 +108,12 @@ VOID FreeIPDR(
    CurrentEntry = NextEntry;
  }

+  if (IPDR->IPv4Header)
+  {
+      TI_DbgPrint(DEBUG_IP, ("Freeing IPDR header at (0x%X).\n", IPDR->IPv4Header));
+      ExFreePoolWithTag(IPDR->IPv4Header, PACKET_BUFFER_TAG);
+  }
+
  TI_DbgPrint(DEBUG_IP, ("Freeing IPDR data at (0x%X).\n", IPDR));

  ExFreeToNPagedLookasideList(&IPDRList, IPDR);
@ -218,7 +224,7 @@ ReassembleDatagram(
  IPPacket->MappedHeader = FALSE;

  /* Copy the header into the buffer */
-  RtlCopyMemory(IPPacket->Header, &IPDR->IPv4Header, sizeof(IPDR->IPv4Header));
+  RtlCopyMemory(IPPacket->Header, IPDR->IPv4Header, IPDR->HeaderSize);

  Data = (PVOID)((ULONG_PTR)IPPacket->Header + IPDR->HeaderSize);
  IPPacket->Data = Data;
@ -394,11 +400,21 @@ VOID ProcessFragment(

    /* If this is the first fragment, save the IP header */
    if (FragFirst == 0) {
-      TI_DbgPrint(DEBUG_IP, ("First fragment found. Header buffer is at (0x%X). "
-        "Header size is (%d).\n", &IPDR->IPv4Header, IPPacket->HeaderSize));
+        IPDR->IPv4Header = ExAllocatePoolWithTag(NonPagedPool,
+                                                 IPPacket->HeaderSize,
+                                                 PACKET_BUFFER_TAG);
+        if (!IPDR->IPv4Header)
+        {
+            Cleanup(&IPDR->Lock, OldIrql, IPDR);
+            return;
+        }
+
+        RtlCopyMemory(IPDR->IPv4Header, IPPacket->Header, IPPacket->HeaderSize);
+        IPDR->HeaderSize = IPPacket->HeaderSize;
+
+        TI_DbgPrint(DEBUG_IP, ("First fragment found. Header buffer is at (0x%X). "
+                               "Header size is (%d).\n", &IPDR->IPv4Header, IPPacket->HeaderSize));

-      RtlCopyMemory(&IPDR->IPv4Header, IPPacket->Header, sizeof(IPDR->IPv4Header));
-      IPDR->HeaderSize = sizeof(IPDR->IPv4Header);
    }

    /* Create a buffer, copy the data into it and put it