[cgutman] 42659: - Fix a handle leak - Fix a potential NULL pointer dereference if ExAllocatePool fails - Fix a potential NULL pointer dereference that causes AFD to crash when the socket is closed with waiting send IRPs - Fix another NULL pointer dereference if NdisOpenConfiguration fails - Move ASSERT before accessing Status - Add some sanity checks - Most of these were found by Amine Khaldi
Author: cgutman Date: Fri Aug 14 01:38:57 2009 New Revision: 42659
URL: http://svn.reactos.org/svn/reactos?rev=42659&view=rev Log: - Fix a handle leak - Fix a potential NULL pointer dereference if ExAllocatePool fails - Fix a potential NULL pointer dereference that causes AFD to crash when the socket is closed with waiting send IRPs - Fix another NULL pointer dereference if NdisOpenConfiguration fails - Move ASSERT before accessing Status - Add some sanity checks - Most of these were found by Amine Khaldi
Modified: trunk/reactos/drivers/network/afd/afd/select.c trunk/reactos/drivers/network/afd/afd/tdiconn.c trunk/reactos/drivers/network/afd/afd/write.c trunk/reactos/drivers/network/ndis/ndis/miniport.c trunk/reactos/drivers/network/ndis/ndis/misc.c trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c trunk/reactos/drivers/network/tcpip/tcpip/info.c trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c
Modified: trunk/reactos/drivers/network/afd/afd/select.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/sel... ============================================================================== --- trunk/reactos/drivers/network/afd/afd/select.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/afd/afd/select.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -207,7 +207,6 @@
if( (FCB->PollState & AFD_EVENT_CLOSE) || (PollReq->Handles[i].Status & AFD_EVENT_CLOSE) ) { - AFD_HANDLES(PollReq)[i].Handle = 0; PollReq->Handles[i].Events = 0; PollReq->Handles[i].Status = AFD_EVENT_CLOSE; Signalled++;
Modified: trunk/reactos/drivers/network/afd/afd/tdiconn.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/tdi... ============================================================================== --- trunk/reactos/drivers/network/afd/afd/tdiconn.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/afd/afd/tdiconn.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -44,7 +44,8 @@ PTA_ADDRESS TaCopyAddress( PTA_ADDRESS Source ) { UINT AddrLen = TaLengthOfAddress( Source ); PVOID Buffer = ExAllocatePool( NonPagedPool, AddrLen ); - RtlCopyMemory( Buffer, Source, AddrLen ); + if (Buffer) + RtlCopyMemory( Buffer, Source, AddrLen ); return Buffer; }
Modified: trunk/reactos/drivers/network/afd/afd/write.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/wri... ============================================================================== --- trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -51,6 +51,8 @@ while( !IsListEmpty( &FCB->PendingIrpList[FUNCTION_SEND] ) ) { NextIrpEntry = RemoveHeadList(&FCB->PendingIrpList[FUNCTION_SEND]); NextIrp = CONTAINING_RECORD(NextIrpEntry, IRP, Tail.Overlay.ListEntry); + NextIrpSp = IoGetCurrentIrpStackLocation( NextIrp ); + SendReq = NextIrpSp->Parameters.DeviceIoControl.Type3InputBuffer; NextIrp->IoStatus.Status = STATUS_FILE_CLOSED; NextIrp->IoStatus.Information = 0; UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, FALSE);
Modified: trunk/reactos/drivers/network/ndis/ndis/miniport.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/m... ============================================================================== --- trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -1850,6 +1850,12 @@ */
NdisOpenConfiguration(&NdisStatus, &ConfigHandle, (NDIS_HANDLE)&WrapperContext); + if (NdisStatus != NDIS_STATUS_SUCCESS) + { + NDIS_DbgPrint(MIN_TRACE, ("Failed to open configuration key\n")); + ExInterlockedRemoveEntryList( &Adapter->ListEntry, &AdapterListLock ); + return NdisStatus; + }
Size = sizeof(ULONG); Status = IoGetDeviceProperty(Adapter->NdisMiniportBlock.PhysicalDeviceObject,
Modified: trunk/reactos/drivers/network/ndis/ndis/misc.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/m... ============================================================================== --- trunk/reactos/drivers/network/ndis/ndis/misc.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/ndis/ndis/misc.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -237,10 +237,10 @@
NDIS_DbgPrint(MAX_TRACE, ("Called.\n"));
+ ASSERT ( Status && FileName ); + *Status = NDIS_STATUS_SUCCESS; FullFileName.Buffer = NULL; - - ASSERT ( Status && FileName );
FullFileName.Length = sizeof(NDIS_FILE_FOLDER); FullFileName.MaximumLength = FileName->MaximumLength + sizeof(NDIS_FILE_FOLDER);
Modified: trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip... ============================================================================== --- trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/tcpip/tcpip/dispatch.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -582,10 +582,7 @@
TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile: %x\n", Connection->AddressFile )); - if( Connection->AddressFile ) { - TI_DbgPrint(MIN_TRACE, ("Connection->AddressFile->Listener: %x\n", - Connection->AddressFile->Listener)); - } + ASSERT(Connection->AddressFile);
Status = DispPrepareIrpForCancel (TranContext->Handle.ConnectionContext,
Modified: trunk/reactos/drivers/network/tcpip/tcpip/info.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip... ============================================================================== --- trunk/reactos/drivers/network/tcpip/tcpip/info.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/tcpip/tcpip/info.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -19,7 +19,7 @@
/* The driver returns success even when it couldn't fit every available * byte. */ - if( RememberedCBSize < SizeOut ) + if( RememberedCBSize < SizeOut || !ClientBuf ) return TDI_SUCCESS; else { CopyBufferToBufferChain( ClientBuf, 0, (PCHAR)DataOut, SizeOut ); @@ -99,7 +99,7 @@
TI_DbgPrint(DEBUG_INFO,("BufSize: %d, NeededSize: %d\n", BufSize, Size));
- if (BufSize < Size) + if (BufSize < Size || !Buffer) { TcpipReleaseSpinLock( &EntityListLock, OldIrql ); /* The buffer is too small to contain requested data, but we return
Modified: trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpip... ============================================================================== --- trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c [iso-8859-1] (original) +++ trunk/reactos/drivers/network/tcpip/tcpip/ninfo.c [iso-8859-1] Fri Aug 14 01:38:57 2009 @@ -91,20 +91,17 @@ RtCount = CopyFIBs( RCache );
while( RtCurrent < RouteEntries + RtCount ) { - /* Copy Desitnation */ + ASSERT(RCacheCur->Router); + RtlCopyMemory( &RtCurrent->Dest, &RCacheCur->NetworkAddress.Address, sizeof(RtCurrent->Dest) ); RtlCopyMemory( &RtCurrent->Mask, &RCacheCur->Netmask.Address, sizeof(RtCurrent->Mask) ); - - if( RCacheCur->Router ) - RtlCopyMemory( &RtCurrent->Gw, - &RCacheCur->Router->Address.Address, - sizeof(RtCurrent->Gw) ); - else - RtlZeroMemory( &RtCurrent->Gw, sizeof(RtCurrent->Gw) ); + RtlCopyMemory( &RtCurrent->Gw, + &RCacheCur->Router->Address.Address, + sizeof(RtCurrent->Gw) );
RtCurrent->Metric1 = RCacheCur->Metric; RtCurrent->Type = TDI_ADDRESS_TYPE_IP;
-
cgutman@svn.reactos.org