[ros-diffs] [cgutman] 63899: [TCPIP] - Reference the address file while delivering data to avoid a use after free when an address file is closed during datagram delivery

Author: cgutman Date: Sun Aug 17 04:03:29 2014 New Revision: 63899 URL: http://svn.reactos.org/svn/reactos?rev=63899&view=rev Log: [TCPIP] - Reference the address file while delivering data to avoid a use after free when an address file is closed during datagram delivery Modified: trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c trunk/reactos/lib/drivers/ip/transport/udp/udp.c Modified: trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpi… ============================================================================== --- trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c [iso-8859-1] Sun Aug 17 04:03:29 2014 @@ -222,7 +222,7 @@ * ARGUMENTS: * SearchContext = Pointer to search context * RETURNS: - * Pointer to address file, NULL if none was found + * Pointer to referenced address file, NULL if none was found */ PADDRESS_FILE AddrSearchNext( PAF_SEARCH SearchContext) @@ -232,6 +232,7 @@ KIRQL OldIrql; PADDRESS_FILE Current = NULL; BOOLEAN Found = FALSE; + PADDRESS_FILE StartingAddrFile; TcpipAcquireSpinLock(&AddressFileListLock, &OldIrql); @@ -241,8 +242,8 @@ return NULL; } - /* Remove the extra reference we added to keep this address file in memory */ - DereferenceObject(CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE, ListEntry)); + /* Save this pointer so we can dereference it later */ + StartingAddrFile = CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE, ListEntry); CurrentEntry = SearchContext->Next; @@ -279,9 +280,15 @@ /* Reference the next address file to prevent the link from disappearing behind our back */ ReferenceObject(CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE, ListEntry)); } + + /* Reference the returned address file before dereferencing the starting + * address file because it may be that Current == StartingAddrFile */ + ReferenceObject(Current); } else Current = NULL; + + DereferenceObject(StartingAddrFile); TcpipReleaseSpinLock(&AddressFileListLock, OldIrql); Modified: trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/r… ============================================================================== --- trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c [iso-8859-1] Sun Aug 17 04:03:29 2014 @@ -321,6 +321,7 @@ 0, IPPacket, DataSize); + DereferenceObject(AddrFile); } while ((AddrFile = AddrSearchNext(&SearchContext)) != NULL); } else { /* There are no open address files that will take this datagram */ Modified: trunk/reactos/lib/drivers/ip/transport/udp/udp.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/u… ============================================================================== --- trunk/reactos/lib/drivers/ip/transport/udp/udp.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/ip/transport/udp/udp.c [iso-8859-1] Sun Aug 17 04:03:29 2014 @@ -320,6 +320,7 @@ UDPHeader->DestPort, IPPacket, DataSize); + DereferenceObject(AddrFile); } while ((AddrFile = AddrSearchNext(&SearchContext)) != NULL); } else { /* There are no open address files that will take this datagram */