Author: akhaldi Date: Wed Sep 14 10:09:02 2016 New Revision: 72672 URL: http://svn.reactos.org/svn/reactos?rev=72672&view=rev Log: [IP] Avoid use-after-free of IPDATAGRAM_REASSEMBLY structures. By Roel Messiant. CORE-11889 Modified: trunk/reactos/sdk/lib/drivers/ip/network/receive.c Modified: trunk/reactos/sdk/lib/drivers/ip/network/receive.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/sdk/lib/drivers/ip/network… ============================================================================== --- trunk/reactos/sdk/lib/drivers/ip/network/receive.c [iso-8859-1] (original) +++ trunk/reactos/sdk/lib/drivers/ip/network/receive.c [iso-8859-1] Wed Sep 14 10:09:02 2016 @@ -489,21 +489,23 @@ */ { KIRQL OldIrql; - PLIST_ENTRY CurrentEntry; + PLIST_ENTRY CurrentEntry, NextEntry; PIPDATAGRAM_REASSEMBLY Current; TcpipAcquireSpinLock(&ReassemblyListLock, &OldIrql); CurrentEntry = ReassemblyListHead.Flink; while (CurrentEntry != &ReassemblyListHead) { - Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY, ListEntry); + NextEntry = CurrentEntry->Flink; + Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY, ListEntry); + /* Unlink it from the list */ RemoveEntryList(CurrentEntry); /* And free the descriptor */ FreeIPDR(Current); - CurrentEntry = CurrentEntry->Flink; + CurrentEntry = NextEntry; } TcpipReleaseSpinLock(&ReassemblyListLock, OldIrql);