[ros-diffs] [cgutman] 53188: [LWIP] - Fix a buffer overflow when the packet queue has more packets than the receive request can take - Remove an extra variable

[cgutman]

Author: cgutman
Date: Thu Aug 11 21:22:00 2011
New Revision: 53188

URL: http://svn.reactos.org/svn/reactos?rev=53188&view=rev
Log:
[LWIP]
- Fix a buffer overflow when the packet queue has more packets than the receive 
request can take
- Remove an extra variable

Modified:
    trunk/reactos/lib/drivers/lwip/src/rostcp.c

Modified: trunk/reactos/lib/drivers/lwip/src/rostcp.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/lwip/src/rostcp.c?rev=53188&r1=53187&r2=53188&view=diff
==============================================================================
--- trunk/reactos/lib/drivers/lwip/src/rostcp.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/lwip/src/rostcp.c [iso-8859-1] Thu Aug 11 
21:22:00 2011
@@ -83,11 +83,10 @@
     PQUEUE_ENTRY qp;
     struct pbuf* p;
     NTSTATUS Status = STATUS_PENDING;
-    UINT ReadLength, ExistingDataLength, SpaceLeft;
+    UINT ReadLength, ExistingDataLength;
     KIRQL OldIrql;
 
     (*Received) = 0;
-    SpaceLeft = RecvLen;
 
     LockObject(Connection, &OldIrql);
 
@@ -100,7 +99,7 @@
 
             Status = STATUS_SUCCESS;
 
-            ReadLength = MIN(p->tot_len, SpaceLeft);
+            ReadLength = MIN(p->tot_len, RecvLen);
             if (ReadLength != p->tot_len)
             {
                 if (ExistingDataLength)
@@ -128,7 +127,7 @@
 
             LockObject(Connection, &OldIrql);
 
-            SpaceLeft -= ReadLength;
+            RecvLen -= ReadLength;
 
             /* Use this special pbuf free callback function because we're 
outside tcpip thread */
             pbuf_free_callback(qp->p);
@@ -207,6 +206,8 @@
 
         return ERR_OK;
     }
+
+    ASSERT(!LibTCPDequeuePacket(Connection));
 
     if (p)
     {