- Validate the output buffer size before writing to it

- Fix some potential memory leaks - Lock the FCB in AfdCloseSocket svn path=/trunk/; revision=40300
2024-08-12 06:06:27 +00:00 · 2009-03-30 22:20:12 +00:00 · 2009-03-30 22:20:12 +00:00 · e84bd02268
parent a23569ce50
commit e84bd02268
3 changed files with 48 additions and 8 deletions
--- a/reactos/drivers/network/afd/afd/info.c
+++ b/reactos/drivers/network/afd/afd/info.c
@ -154,8 +154,10 @@ AfdGetPeerName( PDEVICE_OBJECT DeviceObject, PIRP Irp,

                if (NT_SUCCESS(Status))
                {
-                    RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress, TaLengthOfTransportAddress
-                                                                                  (ConnInfo->RemoteAddress));
+                    if (IrpSp->Parameters.DeviceIoControl.OutputBufferLength >= TaLengthOfTransportAddress(ConnInfo->RemoteAddress))
+                        RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress, TaLengthOfTransportAddress(ConnInfo->RemoteAddress));
+                    else
+                        Status = STATUS_BUFFER_TOO_SMALL;
                }
            }
         }
--- a/reactos/drivers/network/afd/afd/listen.c
+++ b/reactos/drivers/network/afd/afd/listen.c
@ -215,7 +215,21 @@ NTSTATUS AfdListenSocket(PDEVICE_OBJECT DeviceObject, PIRP Irp,
 	  FCB->LocalAddress->Address[0].AddressType );

    if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo )
+    {
+        if (FCB->ListenIrp.ConnectionReturnInfo)
+        {
+            ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+            FCB->ListenIrp.ConnectionReturnInfo = NULL;
+        }
+
+        if (FCB->ListenIrp.ConnectionCallInfo)
+        {
+            ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+            FCB->ListenIrp.ConnectionCallInfo = NULL;
+        }
+
 	return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+    }

    FCB->State = SOCKET_STATE_LISTENING;

@ -230,6 +244,9 @@ NTSTATUS AfdListenSocket(PDEVICE_OBJECT DeviceObject, PIRP Irp,
    if( Status == STATUS_PENDING )
 	Status = STATUS_SUCCESS;

+    if (NT_SUCCESS(Status))
+        FCB->NeedsNewListen = FALSE;
+
    AFD_DbgPrint(MID_TRACE,("Returning %x\n", Status));
    return UnlockAndMaybeComplete( FCB, Status, Irp, 0 );
 }
@ -298,7 +315,21 @@ NTSTATUS AfdAccept( PDEVICE_OBJECT DeviceObject, PIRP Irp,
                FCB->LocalAddress->Address[0].AddressType );

            if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo )
+            {
+                if (FCB->ListenIrp.ConnectionReturnInfo)
+                {
+                    ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+                    FCB->ListenIrp.ConnectionReturnInfo = NULL;
+                }
+
+                if (FCB->ListenIrp.ConnectionCallInfo)
+                {
+                    ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+                    FCB->ListenIrp.ConnectionCallInfo = NULL;
+                }
+
 	        return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+            }

 	    Status = TdiListen( &FCB->ListenIrp.InFlightRequest,
 				FCB->Connection.Object,
--- a/reactos/drivers/network/afd/afd/main.c
+++ b/reactos/drivers/network/afd/afd/main.c
@ -142,11 +142,14 @@ AfdCreateSocket(PDEVICE_OBJECT DeviceObject, PIRP Irp,
 	/* Allocate our backup buffer */
 	FCB->Recv.Window = ExAllocatePool( NonPagedPool, FCB->Recv.Size );
 	if( !FCB->Recv.Window ) Status = STATUS_NO_MEMORY;
-        FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
-	if( !FCB->Send.Window ) {
-	    if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
-	    Status = STATUS_NO_MEMORY;
-	}
+        if( NT_SUCCESS(Status) )
+        {
+            FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
+	    if( !FCB->Send.Window ) {
+	         if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
+	         Status = STATUS_NO_MEMORY;
+            }
+	     }
 	/* A datagram socket is always sendable */
 	FCB->PollState |= AFD_EVENT_SEND;
        PollReeval( FCB->DeviceExt, FCB->FileObject );
@ -235,6 +238,8 @@ AfdCloseSocket(PDEVICE_OBJECT DeviceObject, PIRP Irp,
    AFD_DbgPrint(MID_TRACE,
 		 ("AfdClose(DeviceObject %p Irp %p)\n", DeviceObject, Irp));

+    if( !SocketAcquireStateLock( FCB ) ) return LostSocket( Irp );
+
    AFD_DbgPrint(MID_TRACE,("FCB %x\n", FCB));

    FCB->PollState |= AFD_EVENT_CLOSE;
@ -244,11 +249,13 @@ AfdCloseSocket(PDEVICE_OBJECT DeviceObject, PIRP Irp,
    if( FCB->EventSelect ) ObDereferenceObject( FCB->EventSelect );

    FileObject->FsContext = NULL;
+    SocketStateUnlock( FCB );
+
    DestroySocket( FCB );

    Irp->IoStatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;
-    IoCompleteRequest(Irp, IO_NO_INCREMENT);
+    IoCompleteRequest(Irp, IO_NETWORK_INCREMENT);

    AFD_DbgPrint(MID_TRACE, ("Returning success.\n"));