[reactos] 01/01: [FASTFAT] Fix use after free when volume is unmounted - Ros-diffs

30 Jun 2019

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=9590cd15f4c1075b9b2029...
commit 9590cd15f4c1075b9b2029dc7890d0e4e1b957ee
Author:     Timo Kreuzer timo.kreuzer@reactos.org
AuthorDate: Tue Jun 25 21:03:14 2019 +0200
Commit:     Timo Kreuzer timo.kreuzer@reactos.org
CommitDate: Sun Jun 30 13:57:14 2019 +0200
[FASTFAT] Fix use after free when volume is unmounted
---
 drivers/filesystems/fastfat/cleanup.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/drivers/filesystems/fastfat/cleanup.c b/drivers/filesystems/fastfat/cleanup.c
index d09df956ca4..ad5f120d914 100644
--- a/drivers/filesystems/fastfat/cleanup.c
+++ b/drivers/filesystems/fastfat/cleanup.c
@@ -18,9 +18,10 @@
/*
  * FUNCTION: Cleans up after a file has been closed.
+ * Returns whether the device was deleted
  */
 static
-NTSTATUS
+BOOLEAN
 VfatCleanupFile(
     PVFAT_IRP_CONTEXT IrpContext)
 {
@@ -29,6 +30,7 @@ VfatCleanupFile(
     BOOLEAN IsVolume;
     PDEVICE_EXTENSION DeviceExt = IrpContext->DeviceExt;
     PFILE_OBJECT FileObject = IrpContext->FileObject;
+    BOOLEAN Deleted = FALSE;
DPRINT("VfatCleanupFile(DeviceExt %p, FileObject %p)\n",
            IrpContext->DeviceExt, FileObject);
@@ -36,7 +38,7 @@ VfatCleanupFile(
     /* FIXME: handle file/directory deletion here */
     pFcb = (PVFATFCB)FileObject->FsContext;
     if (!pFcb)
-        return STATUS_SUCCESS;
+        return FALSE;
IsVolume = BooleanFlagOn(pFcb->Flags, FCB_IS_VOLUME);
     if (IsVolume)
@@ -161,11 +163,11 @@ VfatCleanupFile(
 #ifdef ENABLE_SWAPOUT
     if (IsVolume && BooleanFlagOn(DeviceExt->Flags, VCB_DISMOUNT_PENDING))
     {
-        VfatCheckForDismount(DeviceExt, TRUE);
+        Deleted = VfatCheckForDismount(DeviceExt, TRUE);
     }
 #endif
-    return STATUS_SUCCESS;
+    return Deleted;
 }
/*
@@ -175,7 +177,7 @@ NTSTATUS
 VfatCleanup(
     PVFAT_IRP_CONTEXT IrpContext)
 {
-    NTSTATUS Status;
+    BOOLEAN Deleted;
DPRINT("VfatCleanup(DeviceObject %p, Irp %p)\n", IrpContext->DeviceObject, IrpContext->Irp);
@@ -186,11 +188,11 @@ VfatCleanup(
     }
ExAcquireResourceExclusiveLite(&IrpContext->DeviceExt->DirResource, TRUE);
-    Status = VfatCleanupFile(IrpContext);
-    ExReleaseResourceLite(&IrpContext->DeviceExt->DirResource);
+    Deleted = VfatCleanupFile(IrpContext);
+    if (!Deleted) ExReleaseResourceLite(&IrpContext->DeviceExt->DirResource);
IrpContext->Irp->IoStatus.Information = 0;
-    return Status;
+    return STATUS_SUCCESS;
 }
/* EOF */

    