[ros-diffs] [cgutman] 42660: - Fix a NULL pointer dereference if ExAllocatePool fails - Move some sanity checks into the right location - Fix another NULL pointer dereference if there is not a socket on the queue - Also spotted by Amine Khaldi

Author: cgutman Date: Fri Aug 14 01:42:21 2009 New Revision: 42660 URL: http://svn.reactos.org/svn/reactos?rev=42660&view=rev Log: - Fix a NULL pointer dereference if ExAllocatePool fails - Move some sanity checks into the right location - Fix another NULL pointer dereference if there is not a socket on the queue - Also spotted by Amine Khaldi Modified: trunk/reactos/lib/drivers/ip/network/routines.c trunk/reactos/lib/drivers/ip/transport/tcp/accept.c trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c Modified: trunk/reactos/lib/drivers/ip/network/routines.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/network/rou… ============================================================================== --- trunk/reactos/lib/drivers/ip/network/routines.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/ip/network/routines.c [iso-8859-1] Fri Aug 14 01:42:21 2009 @@ -117,9 +117,11 @@ NdisQueryPacket(IPPacket->NdisPacket, NULL, NULL, NULL, &Length); Length -= MaxLLHeaderSize; Buffer = exAllocatePool(NonPagedPool, Length); - Length = CopyPacketToBuffer(Buffer, IPPacket->NdisPacket, MaxLLHeaderSize, Length); - DisplayTCPHeader(Buffer, Length); - exFreePool(Buffer); + if (Buffer) { + Length = CopyPacketToBuffer(Buffer, IPPacket->NdisPacket, MaxLLHeaderSize, Length); + DisplayTCPHeader(Buffer, Length); + exFreePool(Buffer); + } } else { Buffer = IPPacket->Header; Length = IPPacket->ContigSize; Modified: trunk/reactos/lib/drivers/ip/transport/tcp/accept.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/t… ============================================================================== --- trunk/reactos/lib/drivers/ip/transport/tcp/accept.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/ip/transport/tcp/accept.c [iso-8859-1] Fri Aug 14 01:42:21 2009 @@ -70,16 +70,16 @@ NTSTATUS Status = STATUS_SUCCESS; SOCKADDR_IN AddressToBind; - TI_DbgPrint(DEBUG_TCP,("TCPListen started\n")); - - TI_DbgPrint(DEBUG_TCP,("Connection->SocketContext %x\n", - Connection->SocketContext)); + TcpipRecursiveMutexEnter( &TCPLock, TRUE ); ASSERT(Connection); ASSERT_KM_POINTER(Connection->SocketContext); ASSERT_KM_POINTER(Connection->AddressFile); - TcpipRecursiveMutexEnter( &TCPLock, TRUE ); + TI_DbgPrint(DEBUG_TCP,("TCPListen started\n")); + + TI_DbgPrint(DEBUG_TCP,("Connection->SocketContext %x\n", + Connection->SocketContext)); AddressToBind.sin_family = AF_INET; memcpy( &AddressToBind.sin_addr, Modified: trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/oskittcp/oskit… ============================================================================== --- trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/oskittcp/oskittcp/interface.c [iso-8859-1] Fri Aug 14 01:42:21 2009 @@ -358,14 +358,14 @@ so = head->so_q; inp = so ? (struct inpcb *)so->so_pcb : NULL; - if( inp ) { + if( inp && name ) { ((struct sockaddr_in *)AddrOut)->sin_addr.s_addr = inp->inp_faddr.s_addr; ((struct sockaddr_in *)AddrOut)->sin_port = inp->inp_fport; } OS_DbgPrint(OSK_MID_TRACE,("error = %d\n", error)); - if( FinishAccepting ) { + if( FinishAccepting && so ) { head->so_q = so->so_q; head->so_qlen--;