Author: cgutman
Date: Fri Aug 14 01:38:57 2009
New Revision: 42659
URL: http://svn.reactos.org/svn/reactos?rev=42659&view=rev
Log:
- Fix a handle leak
- Fix a potential NULL pointer dereference if ExAllocatePool fails
- Fix a potential NULL pointer dereference that causes AFD to crash when the
socket is closed with waiting send IRPs
- Fix another NULL pointer dereference if NdisOpenConfiguration fails
- Move ASSERT before accessing Status
- Add some sanity checks
- Most of these were found by Amine Khaldi
Modified:
trunk/reactos/drivers/network/afd/afd/select.c
trunk/reactos/drivers/network/afd/afd/tdiconn.c
trunk/reactos/drivers/network/afd/afd/write.c
trunk/reactos/drivers/network/ndis/ndis/miniport.c
trunk/reactos/drivers/network/ndis/ndis/misc.c
trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c
trunk/reactos/drivers/network/tcpip/tcpip/info.c
trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c
Modified: trunk/reactos/drivers/network/afd/afd/select.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/select.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/select.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/select.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -207,7 +207,6 @@
if( (FCB->PollState & AFD_EVENT_CLOSE) ||
(PollReq->Handles[i].Status & AFD_EVENT_CLOSE) ) {
- AFD_HANDLES(PollReq)[i].Handle = 0;
PollReq->Handles[i].Events = 0;
PollReq->Handles[i].Status = AFD_EVENT_CLOSE;
Signalled++;
Modified: trunk/reactos/drivers/network/afd/afd/tdiconn.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/tdiconn.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/tdiconn.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/tdiconn.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -44,7 +44,8 @@
PTA_ADDRESS TaCopyAddress( PTA_ADDRESS Source ) {
UINT AddrLen = TaLengthOfAddress( Source );
PVOID Buffer = ExAllocatePool( NonPagedPool, AddrLen );
- RtlCopyMemory( Buffer, Source, AddrLen );
+ if (Buffer)
+ RtlCopyMemory( Buffer, Source, AddrLen );
return Buffer;
}
Modified: trunk/reactos/drivers/network/afd/afd/write.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/write.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -51,6 +51,8 @@
while( !IsListEmpty( &FCB->PendingIrpList[FUNCTION_SEND] ) ) {
NextIrpEntry =
RemoveHeadList(&FCB->PendingIrpList[FUNCTION_SEND]);
NextIrp = CONTAINING_RECORD(NextIrpEntry, IRP,
Tail.Overlay.ListEntry);
+ NextIrpSp = IoGetCurrentIrpStackLocation( NextIrp );
+ SendReq = NextIrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
NextIrp->IoStatus.Status = STATUS_FILE_CLOSED;
NextIrp->IoStatus.Information = 0;
UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, FALSE);
Modified: trunk/reactos/drivers/network/ndis/ndis/miniport.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/miniport.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -1850,6 +1850,12 @@
*/
NdisOpenConfiguration(&NdisStatus, &ConfigHandle,
(NDIS_HANDLE)&WrapperContext);
+ if (NdisStatus != NDIS_STATUS_SUCCESS)
+ {
+ NDIS_DbgPrint(MIN_TRACE, ("Failed to open configuration key\n"));
+ ExInterlockedRemoveEntryList( &Adapter->ListEntry, &AdapterListLock );
+ return NdisStatus;
+ }
Size = sizeof(ULONG);
Status = IoGetDeviceProperty(Adapter->NdisMiniportBlock.PhysicalDeviceObject,
Modified: trunk/reactos/drivers/network/ndis/ndis/misc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/misc.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/ndis/ndis/misc.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/ndis/ndis/misc.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -237,10 +237,10 @@
NDIS_DbgPrint(MAX_TRACE, ("Called.\n"));
+ ASSERT ( Status && FileName );
+
*Status = NDIS_STATUS_SUCCESS;
FullFileName.Buffer = NULL;
-
- ASSERT ( Status && FileName );
FullFileName.Length = sizeof(NDIS_FILE_FOLDER);
FullFileName.MaximumLength = FileName->MaximumLength +
sizeof(NDIS_FILE_FOLDER);
Modified: trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c [iso-8859-1] Fri Aug
14 01:38:57 2009
@@ -582,10 +582,7 @@
TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile: %x\n",
Connection->AddressFile ));
- if( Connection->AddressFile ) {
- TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile->Listener: %x\n",
- Connection->AddressFile->Listener));
- }
+ ASSERT(Connection->AddressFile);
Status = DispPrepareIrpForCancel
(TranContext->Handle.ConnectionContext,
Modified: trunk/reactos/drivers/network/tcpip/tcpip/info.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip/info.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/info.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/info.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -19,7 +19,7 @@
/* The driver returns success even when it couldn't fit every available
* byte. */
- if( RememberedCBSize < SizeOut )
+ if( RememberedCBSize < SizeOut || !ClientBuf )
return TDI_SUCCESS;
else {
CopyBufferToBufferChain( ClientBuf, 0, (PCHAR)DataOut, SizeOut );
@@ -99,7 +99,7 @@
TI_DbgPrint(DEBUG_INFO,("BufSize: %d, NeededSize: %d\n", BufSize, Size));
- if (BufSize < Size)
+ if (BufSize < Size || !Buffer)
{
TcpipReleaseSpinLock( &EntityListLock, OldIrql );
/* The buffer is too small to contain requested data, but we return
Modified: trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c?rev=42659&r1=42658&r2=42659&view=diff
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c [iso-8859-1] Fri Aug 14
01:38:57 2009
@@ -91,20 +91,17 @@
RtCount = CopyFIBs( RCache );
while( RtCurrent < RouteEntries + RtCount ) {
- /* Copy Desitnation */
+ ASSERT(RCacheCur->Router);
+
RtlCopyMemory( &RtCurrent->Dest,
&RCacheCur->NetworkAddress.Address,
sizeof(RtCurrent->Dest) );
RtlCopyMemory( &RtCurrent->Mask,
&RCacheCur->Netmask.Address,
sizeof(RtCurrent->Mask) );
-
- if( RCacheCur->Router )
- RtlCopyMemory( &RtCurrent->Gw,
- &RCacheCur->Router->Address.Address,
- sizeof(RtCurrent->Gw) );
- else
- RtlZeroMemory( &RtCurrent->Gw, sizeof(RtCurrent->Gw) );
+ RtlCopyMemory( &RtCurrent->Gw,
+ &RCacheCur->Router->Address.Address,
+ sizeof(RtCurrent->Gw) );
RtCurrent->Metric1 = RCacheCur->Metric;
RtCurrent->Type = TDI_ADDRESS_TYPE_IP;
