[cgutman] 40300: - Validate the output buffer size before writing to it - Fix some potential memory leaks - Lock the FCB in AfdCloseSocket - Ros-diffs

30 Mar 2009

Author: cgutman
Date: Tue Mar 31 02:20:12 2009
New Revision: 40300
URL: http://svn.reactos.org/svn/reactos?rev=40300&view=rev
Log:
 - Validate the output buffer size before writing to it
 - Fix some potential memory leaks
 - Lock the FCB in AfdCloseSocket
Modified:
    trunk/reactos/drivers/network/afd/afd/info.c
    trunk/reactos/drivers/network/afd/afd/listen.c
    trunk/reactos/drivers/network/afd/afd/main.c
Modified: trunk/reactos/drivers/network/afd/afd/info.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/inf...
==============================================================================

--- trunk/reactos/drivers/network/afd/afd/info.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/info.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -154,8 +154,10 @@
if (NT_SUCCESS(Status))
                 {
-                    RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress, TaLengthOfTransportAddress
-                                                                                  (ConnInfo->RemoteAddress));
+                    if (IrpSp->Parameters.DeviceIoControl.OutputBufferLength >= TaLengthOfTransportAddress(ConnInfo->RemoteAddress))
+                        RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress, TaLengthOfTransportAddress(ConnInfo->RemoteAddress));
+                    else
+                        Status = STATUS_BUFFER_TOO_SMALL;
                 }
             }
          }
Modified: trunk/reactos/drivers/network/afd/afd/listen.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/lis...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -215,7 +215,21 @@
      FCB->LocalAddress->Address[0].AddressType );
if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo )
+    {
+        if (FCB->ListenIrp.ConnectionReturnInfo)
+        {
+            ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+            FCB->ListenIrp.ConnectionReturnInfo = NULL;
+        }
+
+        if (FCB->ListenIrp.ConnectionCallInfo)
+        {
+            ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+            FCB->ListenIrp.ConnectionCallInfo = NULL;
+        }
+
    return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+    }
FCB->State = SOCKET_STATE_LISTENING;
@@ -229,6 +243,9 @@
if( Status == STATUS_PENDING )
    Status = STATUS_SUCCESS;
+
+    if (NT_SUCCESS(Status))
+        FCB->NeedsNewListen = FALSE;
AFD_DbgPrint(MID_TRACE,("Returning %x\n", Status));
     return UnlockAndMaybeComplete( FCB, Status, Irp, 0 );
@@ -298,7 +315,21 @@
                 FCB->LocalAddress->Address[0].AddressType );
if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo )
+            {
+                if (FCB->ListenIrp.ConnectionReturnInfo)
+                {
+                    ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+                    FCB->ListenIrp.ConnectionReturnInfo = NULL;
+                }
+
+                if (FCB->ListenIrp.ConnectionCallInfo)
+                {
+                    ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+                    FCB->ListenIrp.ConnectionCallInfo = NULL;
+                }
+
            return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+            }
Status = TdiListen( &FCB->ListenIrp.InFlightRequest,
    			FCB->Connection.Object,
Modified: trunk/reactos/drivers/network/afd/afd/main.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/mai...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -142,11 +142,14 @@
    /* Allocate our backup buffer */
    FCB->Recv.Window = ExAllocatePool( NonPagedPool, FCB->Recv.Size );
    if( !FCB->Recv.Window ) Status = STATUS_NO_MEMORY;
-        FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
-	if( !FCB->Send.Window ) {
-	    if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
-	    Status = STATUS_NO_MEMORY;
-	}
+        if( NT_SUCCESS(Status) )
+        {
+            FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
+	    if( !FCB->Send.Window ) {
+	         if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
+	         Status = STATUS_NO_MEMORY;
+            }
+	     }
    /* A datagram socket is always sendable */
    FCB->PollState |= AFD_EVENT_SEND;
         PollReeval( FCB->DeviceExt, FCB->FileObject );
@@ -235,6 +238,8 @@
     AFD_DbgPrint(MID_TRACE,
    	 ("AfdClose(DeviceObject %p Irp %p)\n", DeviceObject, Irp));
+    if( !SocketAcquireStateLock( FCB ) ) return LostSocket( Irp );
+
     AFD_DbgPrint(MID_TRACE,("FCB %x\n", FCB));
FCB->PollState |= AFD_EVENT_CLOSE;
@@ -244,11 +249,13 @@
     if( FCB->EventSelect ) ObDereferenceObject( FCB->EventSelect );
FileObject->FsContext = NULL;
+    SocketStateUnlock( FCB );
+
     DestroySocket( FCB );
Irp->IoStatus.Status = STATUS_SUCCESS;
     Irp->IoStatus.Information = 0;
-    IoCompleteRequest(Irp, IO_NO_INCREMENT);
+    IoCompleteRequest(Irp, IO_NETWORK_INCREMENT);
AFD_DbgPrint(MID_TRACE, ("Returning success.\n"));

    