Author: cgutman
Date: Fri Aug 14 01:42:21 2009
New Revision: 42660
URL: http://svn.reactos.org/svn/reactos?rev=42660&view=rev
Log:
- Fix a NULL pointer dereference if ExAllocatePool fails
- Move some sanity checks into the right location
- Fix another NULL pointer dereference if there is not a socket on the queue
- Also spotted by Amine Khaldi
Modified:
trunk/reactos/lib/drivers/ip/network/routines.c
trunk/reactos/lib/drivers/ip/transport/tcp/accept.c
trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c
Modified: trunk/reactos/lib/drivers/ip/network/routines.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/network/routines.c?rev=42660&r1=42659&r2=42660&view=diff
==============================================================================
--- trunk/reactos/lib/drivers/ip/network/routines.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/ip/network/routines.c [iso-8859-1] Fri Aug 14
01:42:21 2009
@@ -117,9 +117,11 @@
NdisQueryPacket(IPPacket->NdisPacket, NULL, NULL, NULL, &Length);
Length -= MaxLLHeaderSize;
Buffer = exAllocatePool(NonPagedPool, Length);
- Length = CopyPacketToBuffer(Buffer, IPPacket->NdisPacket,
MaxLLHeaderSize, Length);
- DisplayTCPHeader(Buffer, Length);
- exFreePool(Buffer);
+ if (Buffer) {
+ Length = CopyPacketToBuffer(Buffer, IPPacket->NdisPacket,
MaxLLHeaderSize, Length);
+ DisplayTCPHeader(Buffer, Length);
+ exFreePool(Buffer);
+ }
} else {
Buffer = IPPacket->Header;
Length = IPPacket->ContigSize;
Modified: trunk/reactos/lib/drivers/ip/transport/tcp/accept.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/tcp/accept.c?rev=42660&r1=42659&r2=42660&view=diff
==============================================================================
--- trunk/reactos/lib/drivers/ip/transport/tcp/accept.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/ip/transport/tcp/accept.c [iso-8859-1] Fri Aug 14
01:42:21 2009
@@ -70,16 +70,16 @@
NTSTATUS Status = STATUS_SUCCESS;
SOCKADDR_IN AddressToBind;
- TI_DbgPrint(DEBUG_TCP,("TCPListen started\n"));
-
- TI_DbgPrint(DEBUG_TCP,("Connection->SocketContext %x\n",
- Connection->SocketContext));
+ TcpipRecursiveMutexEnter( &TCPLock, TRUE );
ASSERT(Connection);
ASSERT_KM_POINTER(Connection->SocketContext);
ASSERT_KM_POINTER(Connection->AddressFile);
- TcpipRecursiveMutexEnter( &TCPLock, TRUE );
+ TI_DbgPrint(DEBUG_TCP,("TCPListen started\n"));
+
+ TI_DbgPrint(DEBUG_TCP,("Connection->SocketContext %x\n",
+ Connection->SocketContext));
AddressToBind.sin_family = AF_INET;
memcpy( &AddressToBind.sin_addr,
Modified: trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c?rev=42660&r1=42659&r2=42660&view=diff
==============================================================================
--- trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c [iso-8859-1]
(original)
+++ trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c [iso-8859-1] Fri
Aug 14 01:42:21 2009
@@ -358,14 +358,14 @@
so = head->so_q;
inp = so ? (struct inpcb *)so->so_pcb : NULL;
- if( inp ) {
+ if( inp && name ) {
((struct sockaddr_in *)AddrOut)->sin_addr.s_addr =
inp->inp_faddr.s_addr;
((struct sockaddr_in *)AddrOut)->sin_port = inp->inp_fport;
}
OS_DbgPrint(OSK_MID_TRACE,("error = %d\n", error));
- if( FinishAccepting ) {
+ if( FinishAccepting && so ) {
head->so_q = so->so_q;
head->so_qlen--;
