Author: akhaldi
Date: Wed Sep 14 10:09:02 2016
New Revision: 72672
URL: http://svn.reactos.org/svn/reactos?rev=72672&view=rev
Log:
[IP] Avoid use-after-free of IPDATAGRAM_REASSEMBLY structures. By Roel
Messiant. CORE-11889
Modified:
trunk/reactos/sdk/lib/drivers/ip/network/receive.c
Modified: trunk/reactos/sdk/lib/drivers/ip/network/receive.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/sdk/lib/drivers/ip/network/receive.c?rev=72672&r1=72671&r2=72672&view=diff
==============================================================================
--- trunk/reactos/sdk/lib/drivers/ip/network/receive.c [iso-8859-1] (original)
+++ trunk/reactos/sdk/lib/drivers/ip/network/receive.c [iso-8859-1] Wed Sep 14
10:09:02 2016
@@ -489,21 +489,23 @@
*/
{
KIRQL OldIrql;
- PLIST_ENTRY CurrentEntry;
+ PLIST_ENTRY CurrentEntry, NextEntry;
PIPDATAGRAM_REASSEMBLY Current;
TcpipAcquireSpinLock(&ReassemblyListLock, &OldIrql);
CurrentEntry = ReassemblyListHead.Flink;
while (CurrentEntry != &ReassemblyListHead) {
- Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY,
ListEntry);
+ NextEntry = CurrentEntry->Flink;
+ Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY,
ListEntry);
+
/* Unlink it from the list */
RemoveEntryList(CurrentEntry);
/* And free the descriptor */
FreeIPDR(Current);
- CurrentEntry = CurrentEntry->Flink;
+ CurrentEntry = NextEntry;
}
TcpipReleaseSpinLock(&ReassemblyListLock, OldIrql);
