[cgutman] 42659: - Fix a handle leak - Fix a potential NULL pointer dereference if ExAllocatePool fails - Fix a potential NULL pointer dereference that causes AFD to crash when the socket is closed with waiting send IRPs - Fix another NULL pointer dereference if NdisOpenConfiguration fails - Move ASSERT before accessing Status - Add some sanity checks - Most of these were found by Amine Khaldi - Ros-diffs

13 Aug 2009

Author: cgutman
Date: Fri Aug 14 01:38:57 2009
New Revision: 42659

URL: http://svn.reactos.org/svn/reactos?rev=42659&view=rev
Log:
 - Fix a handle leak
 - Fix a potential NULL pointer dereference if ExAllocatePool fails
 - Fix a potential NULL pointer dereference that causes AFD to crash when the socket is
closed with waiting send IRPs
 - Fix another NULL pointer dereference if NdisOpenConfiguration fails
 - Move ASSERT before accessing Status
 - Add some sanity checks
 - Most of these were found by Amine Khaldi

Modified:
    trunk/reactos/drivers/network/afd/afd/select.c
    trunk/reactos/drivers/network/afd/afd/tdiconn.c
    trunk/reactos/drivers/network/afd/afd/write.c
    trunk/reactos/drivers/network/ndis/ndis/miniport.c
    trunk/reactos/drivers/network/ndis/ndis/misc.c
    trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c
    trunk/reactos/drivers/network/tcpip/tcpip/info.c
    trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c

Modified: trunk/reactos/drivers/network/afd/afd/select.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/se…
==============================================================================

--- trunk/reactos/drivers/network/afd/afd/select.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/select.c [iso-8859-1] Fri Aug 14 01:38:57 2009
@@ -207,7 +207,6 @@
 
 	    if( (FCB->PollState & AFD_EVENT_CLOSE) ||
 		(PollReq->Handles[i].Status & AFD_EVENT_CLOSE) ) {
-		AFD_HANDLES(PollReq)[i].Handle = 0;
 		PollReq->Handles[i].Events = 0;
 		PollReq->Handles[i].Status = AFD_EVENT_CLOSE;
 		Signalled++;

Modified: trunk/reactos/drivers/network/afd/afd/tdiconn.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/td…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/tdiconn.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/tdiconn.c [iso-8859-1] Fri Aug 14 01:38:57 2009
@@ -44,7 +44,8 @@
 PTA_ADDRESS TaCopyAddress( PTA_ADDRESS Source ) {
     UINT AddrLen = TaLengthOfAddress( Source );
     PVOID Buffer = ExAllocatePool( NonPagedPool, AddrLen );
-    RtlCopyMemory( Buffer, Source, AddrLen );
+    if (Buffer)
+       RtlCopyMemory( Buffer, Source, AddrLen );
     return Buffer;
 }
 

Modified: trunk/reactos/drivers/network/afd/afd/write.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/wr…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] Fri Aug 14 01:38:57 2009
@@ -51,6 +51,8 @@
         while( !IsListEmpty( &FCB->PendingIrpList[FUNCTION_SEND] ) ) {
 	       NextIrpEntry = RemoveHeadList(&FCB->PendingIrpList[FUNCTION_SEND]);
 	       NextIrp = CONTAINING_RECORD(NextIrpEntry, IRP, Tail.Overlay.ListEntry);
+	       NextIrpSp = IoGetCurrentIrpStackLocation( NextIrp );
+	       SendReq = NextIrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
 	       NextIrp->IoStatus.Status = STATUS_FILE_CLOSED;
 	       NextIrp->IoStatus.Information = 0;
 	       UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, FALSE);

Modified: trunk/reactos/drivers/network/ndis/ndis/miniport.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/…
==============================================================================
--- trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] Fri Aug 14 01:38:57
2009
@@ -1850,6 +1850,12 @@
    */
 
   NdisOpenConfiguration(&NdisStatus, &ConfigHandle,
(NDIS_HANDLE)&WrapperContext);
+  if (NdisStatus != NDIS_STATUS_SUCCESS)
+  {
+      NDIS_DbgPrint(MIN_TRACE, ("Failed to open configuration key\n"));
+      ExInterlockedRemoveEntryList( &Adapter->ListEntry, &AdapterListLock );
+      return NdisStatus;
+  }
 
   Size = sizeof(ULONG);
   Status = IoGetDeviceProperty(Adapter->NdisMiniportBlock.PhysicalDeviceObject,

Modified: trunk/reactos/drivers/network/ndis/ndis/misc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/…
==============================================================================
--- trunk/reactos/drivers/network/ndis/ndis/misc.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/ndis/ndis/misc.c [iso-8859-1] Fri Aug 14 01:38:57 2009
@@ -237,10 +237,10 @@
 
   NDIS_DbgPrint(MAX_TRACE, ("Called.\n"));
 
+  ASSERT ( Status && FileName );
+
   *Status = NDIS_STATUS_SUCCESS;
   FullFileName.Buffer = NULL;
-
-  ASSERT ( Status && FileName );
 
   FullFileName.Length = sizeof(NDIS_FILE_FOLDER);
   FullFileName.MaximumLength = FileName->MaximumLength + sizeof(NDIS_FILE_FOLDER);

Modified: trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpi…
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c [iso-8859-1] Fri Aug 14 01:38:57
2009
@@ -582,10 +582,7 @@
 
   TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile: %x\n",
 			  Connection->AddressFile ));
-  if( Connection->AddressFile ) {
-      TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile->Listener: %x\n",
-			      Connection->AddressFile->Listener));
-  }
+  ASSERT(Connection->AddressFile);
 
   Status = DispPrepareIrpForCancel
       (TranContext->Handle.ConnectionContext,

Modified: trunk/reactos/drivers/network/tcpip/tcpip/info.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpi…
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/info.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/info.c [iso-8859-1] Fri Aug 14 01:38:57
2009
@@ -19,7 +19,7 @@
 
     /* The driver returns success even when it couldn't fit every available
      * byte. */
-    if( RememberedCBSize < SizeOut )
+    if( RememberedCBSize < SizeOut || !ClientBuf )
 	return TDI_SUCCESS;
     else {
 	CopyBufferToBufferChain( ClientBuf, 0, (PCHAR)DataOut, SizeOut );
@@ -99,7 +99,7 @@
 
     TI_DbgPrint(DEBUG_INFO,("BufSize: %d, NeededSize: %d\n", BufSize, Size));
 
-    if (BufSize < Size)
+    if (BufSize < Size || !Buffer)
     {
 	TcpipReleaseSpinLock( &EntityListLock, OldIrql );
 	/* The buffer is too small to contain requested data, but we return

Modified: trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpi…
==============================================================================
--- trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c [iso-8859-1] Fri Aug 14 01:38:57
2009
@@ -91,20 +91,17 @@
     RtCount = CopyFIBs( RCache );
 
     while( RtCurrent < RouteEntries + RtCount ) {
-	/* Copy Desitnation */
+	ASSERT(RCacheCur->Router);
+
 	RtlCopyMemory( &RtCurrent->Dest,
 		       &RCacheCur->NetworkAddress.Address,
 		       sizeof(RtCurrent->Dest) );
 	RtlCopyMemory( &RtCurrent->Mask,
 		       &RCacheCur->Netmask.Address,
 		       sizeof(RtCurrent->Mask) );
-
-	if( RCacheCur->Router )
-	    RtlCopyMemory( &RtCurrent->Gw,
-			   &RCacheCur->Router->Address.Address,
-			   sizeof(RtCurrent->Gw) );
-	else
-	    RtlZeroMemory( &RtCurrent->Gw, sizeof(RtCurrent->Gw) );
+	RtlCopyMemory( &RtCurrent->Gw,
+		       &RCacheCur->Router->Address.Address,
+		       sizeof(RtCurrent->Gw) );
 
 	RtCurrent->Metric1 = RCacheCur->Metric;
 	RtCurrent->Type = TDI_ADDRESS_TYPE_IP;



    