IopFreeIoCompletionPacket has the opposite bug -- there is an interlocked push (free) even in the ExFreePool case. There should be a return following the ExFreePool, otherwise we're corrupting memory.

On Thu, Feb 28, 2008 at 11:37 AM, fireball@svn.reactos.org wrote:

Author: fireball Date: Thu Feb 28 14:37:14 2008 New Revision: 32521

URL: http://svn.reactos.org/svn/reactos?rev=32521&view=rev Log:

• Fix leaking an entry in some cases during ObpFreeCapturedAttributes call. For more details: http://www.reactos.org/forum/viewtopic.php?t=5311.

Modified: trunk/reactos/ntoskrnl/include/internal/ob_x.h

Modified: trunk/reactos/ntoskrnl/include/internal/ob_x.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/o... ============================================================================== --- trunk/reactos/ntoskrnl/include/internal/ob_x.h (original) +++ trunk/reactos/ntoskrnl/include/internal/ob_x.h Thu Feb 28 14:37:14 2008 @@ -290,6 +290,12 @@ List->L.FreeMisses++; List->L.Free(Buffer); }

•    else
  

•    {
  

•        /* The free was within the Depth */
  

•        InterlockedPushEntrySList(&List->L.ListHead,
  

•                                  (PSINGLE_LIST_ENTRY)Buffer);
  

•    }
  

  } else {