Author: akhaldi Date: Wed Sep 14 10:09:02 2016 New Revision: 72672

URL: http://svn.reactos.org/svn/reactos?rev=72672&view=rev Log: [IP] Avoid use-after-free of IPDATAGRAM_REASSEMBLY structures. By Roel Messiant. CORE-11889

Modified: trunk/reactos/sdk/lib/drivers/ip/network/receive.c

Modified: trunk/reactos/sdk/lib/drivers/ip/network/receive.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/sdk/lib/drivers/ip/network/... ============================================================================== --- trunk/reactos/sdk/lib/drivers/ip/network/receive.c [iso-8859-1] (original) +++ trunk/reactos/sdk/lib/drivers/ip/network/receive.c [iso-8859-1] Wed Sep 14 10:09:02 2016 @@ -489,21 +489,23 @@ */ { KIRQL OldIrql; - PLIST_ENTRY CurrentEntry; + PLIST_ENTRY CurrentEntry, NextEntry; PIPDATAGRAM_REASSEMBLY Current;

TcpipAcquireSpinLock(&ReassemblyListLock, &OldIrql);

CurrentEntry = ReassemblyListHead.Flink; while (CurrentEntry != &ReassemblyListHead) { - Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY, ListEntry); + NextEntry = CurrentEntry->Flink; + Current = CONTAINING_RECORD(CurrentEntry, IPDATAGRAM_REASSEMBLY, ListEntry); + /* Unlink it from the list */ RemoveEntryList(CurrentEntry);

/* And free the descriptor */ FreeIPDR(Current);

- CurrentEntry = CurrentEntry->Flink; + CurrentEntry = NextEntry; }

TcpipReleaseSpinLock(&ReassemblyListLock, OldIrql);