[ros-diffs] [cgutman] 53188: [LWIP] - Fix a buffer overflow when the packet queue has more packets than the receive request can take - Remove an extra variable

Author: cgutman Date: Thu Aug 11 21:22:00 2011 New Revision: 53188 URL: http://svn.reactos.org/svn/reactos?rev=53188&view=rev Log: [LWIP] - Fix a buffer overflow when the packet queue has more packets than the receive request can take - Remove an extra variable Modified: trunk/reactos/lib/drivers/lwip/src/rostcp.c Modified: trunk/reactos/lib/drivers/lwip/src/rostcp.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/lwip/src/rostc… ============================================================================== --- trunk/reactos/lib/drivers/lwip/src/rostcp.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/lwip/src/rostcp.c [iso-8859-1] Thu Aug 11 21:22:00 2011 @@ -83,11 +83,10 @@ PQUEUE_ENTRY qp; struct pbuf* p; NTSTATUS Status = STATUS_PENDING; - UINT ReadLength, ExistingDataLength, SpaceLeft; + UINT ReadLength, ExistingDataLength; KIRQL OldIrql; (*Received) = 0; - SpaceLeft = RecvLen; LockObject(Connection, &OldIrql); @@ -100,7 +99,7 @@ Status = STATUS_SUCCESS; - ReadLength = MIN(p->tot_len, SpaceLeft); + ReadLength = MIN(p->tot_len, RecvLen); if (ReadLength != p->tot_len) { if (ExistingDataLength) @@ -128,7 +127,7 @@ LockObject(Connection, &OldIrql); - SpaceLeft -= ReadLength; + RecvLen -= ReadLength; /* Use this special pbuf free callback function because we're outside tcpip thread */ pbuf_free_callback(qp->p); @@ -207,6 +206,8 @@ return ERR_OK; } + + ASSERT(!LibTCPDequeuePacket(Connection)); if (p) {