[ros-diffs] [cgutman] 63899: [TCPIP] - Reference the address file while delivering data to avoid a use after free when an address file is closed during datagram delivery

Sat, 16 Aug 2014 21:05:44 -0700 

Author: cgutman
Date: Sun Aug 17 04:03:29 2014
New Revision: 63899

URL: http://svn.reactos.org/svn/reactos?rev=63899&view=rev
Log:
[TCPIP]
- Reference the address file while delivering data to avoid a use after free 
when an address file is closed during datagram delivery

Modified:
    trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c
    trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c
    trunk/reactos/lib/drivers/ip/transport/udp/udp.c

Modified: trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c?rev=63899&r1=63898&r2=63899&view=diff
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c        [iso-8859-1] 
(original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c        [iso-8859-1] 
Sun Aug 17 04:03:29 2014
@@ -222,7 +222,7 @@
  * ARGUMENTS:
  *     SearchContext = Pointer to search context
  * RETURNS:
- *     Pointer to address file, NULL if none was found
+ *     Pointer to referenced address file, NULL if none was found
  */
 PADDRESS_FILE AddrSearchNext(
     PAF_SEARCH SearchContext)
@@ -232,6 +232,7 @@
     KIRQL OldIrql;
     PADDRESS_FILE Current = NULL;
     BOOLEAN Found = FALSE;
+    PADDRESS_FILE StartingAddrFile;
     
     TcpipAcquireSpinLock(&AddressFileListLock, &OldIrql);
 
@@ -241,8 +242,8 @@
         return NULL;
     }
 
-    /* Remove the extra reference we added to keep this address file in memory 
*/
-    DereferenceObject(CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE, 
ListEntry));
+    /* Save this pointer so we can dereference it later */
+    StartingAddrFile = CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE, 
ListEntry);
 
     CurrentEntry = SearchContext->Next;
 
@@ -279,9 +280,15 @@
             /* Reference the next address file to prevent the link from 
disappearing behind our back */
             ReferenceObject(CONTAINING_RECORD(SearchContext->Next, 
ADDRESS_FILE, ListEntry));
         }
+
+        /* Reference the returned address file before dereferencing the 
starting
+         * address file because it may be that Current == StartingAddrFile */
+        ReferenceObject(Current);
     }
     else
         Current = NULL;
+
+    DereferenceObject(StartingAddrFile);
 
     TcpipReleaseSpinLock(&AddressFileListLock, OldIrql);
 

Modified: trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c?rev=63899&r1=63898&r2=63899&view=diff
==============================================================================
--- trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c        [iso-8859-1] 
(original)
+++ trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c        [iso-8859-1] 
Sun Aug 17 04:03:29 2014
@@ -321,6 +321,7 @@
                     0,
                     IPPacket,
                     DataSize);
+      DereferenceObject(AddrFile);
     } while ((AddrFile = AddrSearchNext(&SearchContext)) != NULL);
   } else {
     /* There are no open address files that will take this datagram */

Modified: trunk/reactos/lib/drivers/ip/transport/udp/udp.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/udp/udp.c?rev=63899&r1=63898&r2=63899&view=diff
==============================================================================
--- trunk/reactos/lib/drivers/ip/transport/udp/udp.c    [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/ip/transport/udp/udp.c    [iso-8859-1] Sun Aug 17 
04:03:29 2014
@@ -320,6 +320,7 @@
                    UDPHeader->DestPort,
                     IPPacket,
                     DataSize);
+      DereferenceObject(AddrFile);
     } while ((AddrFile = AddrSearchNext(&SearchContext)) != NULL);
   } else {
     /* There are no open address files that will take this datagram */

Reply via email to