https://git.reactos.org/?p=reactos.git;a=commitdiff;h=979b7d4d8e6ca8e80ea5b3...
commit 979b7d4d8e6ca8e80ea5b30c70f17a7c868b060f Author: Hervé Poussineau hpoussin@reactos.org AuthorDate: Sun Jun 27 14:44:54 2021 +0200 Commit: Hervé Poussineau hpoussin@reactos.org CommitDate: Sun Jun 27 17:45:53 2021 +0200
[TCPIP] Fix bugcheck when using fragmented datagrams
Memory was allocated from paged pool, and freed at DISPATCH_LEVEL, leading to the following bugcheck:
*** Fatal System Error: 0x000000c2 (0x00000009,0x00000002,0x00000001,0xB7C8A268)
Entered debugger on embedded INT3 at 0x0008:0x8058324B. kdb:> bt Eip: <ntoskrnl.exe:18324c (sdk/lib/rtl/i386/debug_asm.S:56 (RtlpBreakWithStatusInstruction))> <ntoskrnl.exe:89b21 (ntoskrnl/ke/bug.c:1066 (KeBugCheckWithTf))> <ntoskrnl.exe:8a08b (ntoskrnl/ke/bug.c:1413 (KeBugCheckEx))> <ntoskrnl.exe:abb1d (ntoskrnl/mm/ARM3/expool.c:431 (ExFreePoolWithTag))> <tcpip.sys:13e42 (sdk/lib/drivers/ip/network/receive.c:114 (FreeIPDR))> <tcpip.sys:14e09 (sdk/include/ddk/wdm.h:11462 (IPDatagramReassemblyTimeout))> <tcpip.sys:11604 (sdk/lib/drivers/ip/network/ip.c:135 (IPTimeoutDpcFn))> <ntoskrnl.exe:8b7d0 (ntoskrnl/ke/dpc.c:282 (KiTimerExpiration))> <ntoskrnl.exe:8c2c8 (ntoskrnl/ke/dpc.c:592 (KiRetireDpcList))> <ntoskrnl.exe:1420b2 (ntoskrnl/ke/i386/thrdini.c:294 (KiIdleLoop))> <ntoskrnl.exe:23a54a (ntoskrnl/ke/i386/kiinit.c:687 (KiSystemStartupBootStack))> --- sdk/lib/drivers/ip/network/receive.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sdk/lib/drivers/ip/network/receive.c b/sdk/lib/drivers/ip/network/receive.c index bddef7972dd..86e7ff7475c 100644 --- a/sdk/lib/drivers/ip/network/receive.c +++ b/sdk/lib/drivers/ip/network/receive.c @@ -215,7 +215,7 @@ ReassembleDatagram( RtlCopyMemory(&IPPacket->DstAddr, &IPDR->DstAddr, sizeof(IP_ADDRESS));
/* Allocate space for full IP datagram */ - IPPacket->Header = ExAllocatePoolWithTag(PagedPool, IPPacket->TotalSize, PACKET_BUFFER_TAG); + IPPacket->Header = ExAllocatePoolWithTag(NonPagedPool, IPPacket->TotalSize, PACKET_BUFFER_TAG); if (!IPPacket->Header) { TI_DbgPrint(MIN_TRACE, ("Insufficient resources.\n")); (*IPPacket->Free)(IPPacket);