From e90b905e0b5f5e5931cbc0eebe37fcc63ed09027 Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Thu, 13 Aug 2009 23:42:21 +0000
Subject: [PATCH]  - Fix a NULL pointer dereference if ExAllocatePool fails  -
 Move some sanity checks into the right location  - Fix another NULL pointer
 dereference if there is not a socket on the queue  - Also spotted by Amine
 Khaldi

svn path=/trunk/; revision=42660
---
 reactos/lib/drivers/ip/network/routines.c         |  8 +++++---
 reactos/lib/drivers/ip/transport/tcp/accept.c     | 10 +++++-----
 reactos/lib/drivers/oskittcp/oskittcp/interface.c |  4 ++--
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/reactos/lib/drivers/ip/network/routines.c b/reactos/lib/drivers/ip/network/routines.c
index 10de1855c0a..7688bff3f86 100644
--- a/reactos/lib/drivers/ip/network/routines.c
+++ b/reactos/lib/drivers/ip/network/routines.c
@@ -117,9 +117,11 @@ VOID DisplayTCPPacket(
         NdisQueryPacket(IPPacket->NdisPacket, NULL, NULL, NULL, &Length);
         Length -= MaxLLHeaderSize;
         Buffer = exAllocatePool(NonPagedPool, Length);
-        Length = CopyPacketToBuffer(Buffer, IPPacket->NdisPacket, MaxLLHeaderSize, Length);
-        DisplayTCPHeader(Buffer, Length);
-        exFreePool(Buffer);
+        if (Buffer) {
+            Length = CopyPacketToBuffer(Buffer, IPPacket->NdisPacket, MaxLLHeaderSize, Length);
+            DisplayTCPHeader(Buffer, Length);
+            exFreePool(Buffer);
+        }
     } else {
         Buffer = IPPacket->Header;
         Length = IPPacket->ContigSize;
diff --git a/reactos/lib/drivers/ip/transport/tcp/accept.c b/reactos/lib/drivers/ip/transport/tcp/accept.c
index f9648fa5058..151f30952bc 100644
--- a/reactos/lib/drivers/ip/transport/tcp/accept.c
+++ b/reactos/lib/drivers/ip/transport/tcp/accept.c
@@ -70,16 +70,16 @@ NTSTATUS TCPListen( PCONNECTION_ENDPOINT Connection, UINT Backlog ) {
     NTSTATUS Status = STATUS_SUCCESS;
     SOCKADDR_IN AddressToBind;
 
-    TI_DbgPrint(DEBUG_TCP,("TCPListen started\n"));
-
-    TI_DbgPrint(DEBUG_TCP,("Connection->SocketContext %x\n",
-    Connection->SocketContext));
+    TcpipRecursiveMutexEnter( &TCPLock, TRUE );
 
     ASSERT(Connection);
     ASSERT_KM_POINTER(Connection->SocketContext);
     ASSERT_KM_POINTER(Connection->AddressFile);
 
-    TcpipRecursiveMutexEnter( &TCPLock, TRUE );
+    TI_DbgPrint(DEBUG_TCP,("TCPListen started\n"));
+
+    TI_DbgPrint(DEBUG_TCP,("Connection->SocketContext %x\n",
+    Connection->SocketContext));
 
     AddressToBind.sin_family = AF_INET;
     memcpy( &AddressToBind.sin_addr,
diff --git a/reactos/lib/drivers/oskittcp/oskittcp/interface.c b/reactos/lib/drivers/oskittcp/oskittcp/interface.c
index 33b2d939cda..9109fe7de2e 100644
--- a/reactos/lib/drivers/oskittcp/oskittcp/interface.c
+++ b/reactos/lib/drivers/oskittcp/oskittcp/interface.c
@@ -358,14 +358,14 @@ int OskitTCPAccept( void *socket,
     so = head->so_q;
 
     inp = so ? (struct inpcb *)so->so_pcb : NULL;
-    if( inp ) {
+    if( inp && name ) {
         ((struct sockaddr_in *)AddrOut)->sin_addr.s_addr =
             inp->inp_faddr.s_addr;
         ((struct sockaddr_in *)AddrOut)->sin_port = inp->inp_fport;
     }
 
     OS_DbgPrint(OSK_MID_TRACE,("error = %d\n", error));
-    if( FinishAccepting ) {
+    if( FinishAccepting && so ) {
 	head->so_q = so->so_q;
 	head->so_qlen--;