[dchapyshev] 43050: - Handle potential null-pointer access. Found by Amine Khaldi. - Ros-diffs

14 Sep 2009

Author: dchapyshev
Date: Mon Sep 14 13:13:54 2009
New Revision: 43050
URL: http://svn.reactos.org/svn/reactos?rev=43050&view=rev
Log:
- Handle potential null-pointer access. Found by Amine Khaldi.
Modified:
    trunk/reactos/drivers/usb/nt4compat/usbdriver/ehci.c
Modified: trunk/reactos/drivers/usb/nt4compat/usbdriver/ehci.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/usb/nt4compat/usbdr...
==============================================================================

--- trunk/reactos/drivers/usb/nt4compat/usbdriver/ehci.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/usb/nt4compat/usbdriver/ehci.c [iso-8859-1] Mon Sep 14 13:13:54 2009
@@ -1573,6 +1573,7 @@
     PEHCI_QTD_CONTENT ptdc;
     PEHCI_QH_CONTENT pqhc;
     PEHCI_ELEM_LINKS pelnk;
+    PEHCI_ELEM_LINKS plnk;
if (ehci == NULL || purb == NULL)
         return STATUS_INVALID_PARAMETER;
@@ -1685,7 +1686,17 @@
     RemoveEntryList(&td_list);
elem_pool_lock(qh_pool, TRUE);
-    pqh = (PEHCI_QH) ((ULONG) elem_pool_alloc_elem(qh_pool)->phys_part & PHYS_PART_ADDR_MASK);
+
+    plnk = elem_pool_alloc_elem(qh_pool);
+    if (plnk == NULL)
+    {
+        // free the qtds
+        elem_safe_free(pthis, TRUE);
+        if (qh_pool) elem_pool_unlock(qh_pool, TRUE);
+        return STATUS_UNSUCCESSFUL;
+    }
+
+    pqh = (PEHCI_QH) ((ULONG) plnk->phys_part & PHYS_PART_ADDR_MASK);
     elem_pool_unlock(qh_pool, TRUE);
if (pqh == NULL)

    