A bit better... still a security bug.

Best regards,
Alex Ionescu


On Mon, Dec 31, 2018 at 8:00 AM Pierre Schweitzer <pierre@reactos.org> wrote:
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=89a4cde14a5ac1d3363a8efbca9c26c9f93f037a

commit 89a4cde14a5ac1d3363a8efbca9c26c9f93f037a
Author:     Pierre Schweitzer <pierre@reactos.org>
AuthorDate: Mon Dec 31 13:59:58 2018 +0100
Commit:     Pierre Schweitzer <pierre@reactos.org>
CommitDate: Mon Dec 31 14:00:34 2018 +0100

    [TCPIP] Don't assume the TEB is always defined

    Fixes the crash in kmtest:TcpIpConnect test.
---
 drivers/network/tcpip/tcpip/fileobjs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/network/tcpip/tcpip/fileobjs.c b/drivers/network/tcpip/tcpip/fileobjs.c
index 400f956034..f050a09b0c 100644
--- a/drivers/network/tcpip/tcpip/fileobjs.c
+++ b/drivers/network/tcpip/tcpip/fileobjs.c
@@ -396,6 +396,7 @@ NTSTATUS FileOpenAddress(
   PVOID Options)
 {
   PADDRESS_FILE AddrFile;
+  PTEB Teb;

   TI_DbgPrint(MID_TRACE, ("Called (Proto %d).\n", Protocol));

@@ -429,7 +430,12 @@ NTSTATUS FileOpenAddress(
   AddrFile->BCast = 1;
   AddrFile->HeaderIncl = 1;
   AddrFile->ProcessId = PsGetCurrentProcessId();
-  AddrFile->SubProcessTag = ((PTEB)PsGetCurrentThreadTeb())->SubProcessTag;
+
+  Teb = PsGetCurrentThreadTeb();
+  if (Teb != NULL) {
+    AddrFile->SubProcessTag = Teb->SubProcessTag;
+  }
+
   KeQuerySystemTime(&AddrFile->CreationTime);

   /* Make sure address is a local unicast address or 0 */