27 Jun
2021
27 Jun
'21
3:46 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=979b7d4d8e6ca8e80ea5b…
commit 979b7d4d8e6ca8e80ea5b30c70f17a7c868b060f
Author: Hervé Poussineau <hpoussin(a)reactos.org>
AuthorDate: Sun Jun 27 14:44:54 2021 +0200
Commit: Hervé Poussineau <hpoussin(a)reactos.org>
CommitDate: Sun Jun 27 17:45:53 2021 +0200
[TCPIP] Fix bugcheck when using fragmented datagrams
Memory was allocated from paged pool, and freed at DISPATCH_LEVEL,
leading to the following bugcheck:
*** Fatal System Error: 0x000000c2
(0x00000009,0x00000002,0x00000001,0xB7C8A268)
Entered debugger on embedded INT3 at 0x0008:0x8058324B.
kdb:> bt
Eip:
<ntoskrnl.exe:18324c (sdk/lib/rtl/i386/debug_asm.S:56
(RtlpBreakWithStatusInstruction))>
<ntoskrnl.exe:89b21 (ntoskrnl/ke/bug.c:1066 (KeBugCheckWithTf))>
<ntoskrnl.exe:8a08b (ntoskrnl/ke/bug.c:1413 (KeBugCheckEx))>
<ntoskrnl.exe:abb1d (ntoskrnl/mm/ARM3/expool.c:431 (ExFreePoolWithTag))>
<tcpip.sys:13e42 (sdk/lib/drivers/ip/network/receive.c:114 (FreeIPDR))>
<tcpip.sys:14e09 (sdk/include/ddk/wdm.h:11462 (IPDatagramReassemblyTimeout))>
<tcpip.sys:11604 (sdk/lib/drivers/ip/network/ip.c:135 (IPTimeoutDpcFn))>
<ntoskrnl.exe:8b7d0 (ntoskrnl/ke/dpc.c:282 (KiTimerExpiration))>
<ntoskrnl.exe:8c2c8 (ntoskrnl/ke/dpc.c:592 (KiRetireDpcList))>
<ntoskrnl.exe:1420b2 (ntoskrnl/ke/i386/thrdini.c:294 (KiIdleLoop))>
<ntoskrnl.exe:23a54a (ntoskrnl/ke/i386/kiinit.c:687
(KiSystemStartupBootStack))>
---
sdk/lib/drivers/ip/network/receive.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sdk/lib/drivers/ip/network/receive.c b/sdk/lib/drivers/ip/network/receive.c
index bddef7972dd..86e7ff7475c 100644
--- a/sdk/lib/drivers/ip/network/receive.c
+++ b/sdk/lib/drivers/ip/network/receive.c
@@ -215,7 +215,7 @@ ReassembleDatagram(
RtlCopyMemory(&IPPacket->DstAddr, &IPDR->DstAddr, sizeof(IP_ADDRESS));
/* Allocate space for full IP datagram */
- IPPacket->Header = ExAllocatePoolWithTag(PagedPool, IPPacket->TotalSize,
PACKET_BUFFER_TAG);
+ IPPacket->Header = ExAllocatePoolWithTag(NonPagedPool, IPPacket->TotalSize,
PACKET_BUFFER_TAG);
if (!IPPacket->Header) {
TI_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
(*IPPacket->Free)(IPPacket);