[cgutman] 40300: - Validate the output buffer size before writing to it - Fix some potential memory leaks - Lock the FCB in AfdCloseSocket - Ros-diffs

30 Mar 2009

Author: cgutman
Date: Tue Mar 31 02:20:12 2009
New Revision: 40300

URL: http://svn.reactos.org/svn/reactos?rev=40300&view=rev
Log:
 - Validate the output buffer size before writing to it
 - Fix some potential memory leaks
 - Lock the FCB in AfdCloseSocket

Modified:
    trunk/reactos/drivers/network/afd/afd/info.c
    trunk/reactos/drivers/network/afd/afd/listen.c
    trunk/reactos/drivers/network/afd/afd/main.c

Modified: trunk/reactos/drivers/network/afd/afd/info.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/in…
==============================================================================

--- trunk/reactos/drivers/network/afd/afd/info.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/info.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -154,8 +154,10 @@
 
                 if (NT_SUCCESS(Status))
                 {
-                    RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress,
TaLengthOfTransportAddress
-                                                                                 
(ConnInfo->RemoteAddress));
+                    if (IrpSp->Parameters.DeviceIoControl.OutputBufferLength >=
TaLengthOfTransportAddress(ConnInfo->RemoteAddress))
+                        RtlCopyMemory(Irp->UserBuffer, ConnInfo->RemoteAddress,
TaLengthOfTransportAddress(ConnInfo->RemoteAddress));
+                    else
+                        Status = STATUS_BUFFER_TOO_SMALL;
                 }
             }
          }

Modified: trunk/reactos/drivers/network/afd/afd/listen.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/li…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -215,7 +215,21 @@
 	  FCB->LocalAddress->Address[0].AddressType );
 
     if( !FCB->ListenIrp.ConnectionReturnInfo || !FCB->ListenIrp.ConnectionCallInfo
)
+    {
+        if (FCB->ListenIrp.ConnectionReturnInfo)
+        {
+            ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+            FCB->ListenIrp.ConnectionReturnInfo = NULL;
+        }
+
+        if (FCB->ListenIrp.ConnectionCallInfo)
+        {
+            ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+            FCB->ListenIrp.ConnectionCallInfo = NULL;
+        }
+
 	return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+    }
 
     FCB->State = SOCKET_STATE_LISTENING;
 
@@ -229,6 +243,9 @@
 
     if( Status == STATUS_PENDING )
 	Status = STATUS_SUCCESS;
+
+    if (NT_SUCCESS(Status))
+        FCB->NeedsNewListen = FALSE;
 
     AFD_DbgPrint(MID_TRACE,("Returning %x\n", Status));
     return UnlockAndMaybeComplete( FCB, Status, Irp, 0 );
@@ -298,7 +315,21 @@
                 FCB->LocalAddress->Address[0].AddressType );
 
             if( !FCB->ListenIrp.ConnectionReturnInfo ||
!FCB->ListenIrp.ConnectionCallInfo )
+            {
+                if (FCB->ListenIrp.ConnectionReturnInfo)
+                {
+                    ExFreePool(FCB->ListenIrp.ConnectionReturnInfo);
+                    FCB->ListenIrp.ConnectionReturnInfo = NULL;
+                }
+
+                if (FCB->ListenIrp.ConnectionCallInfo)
+                {
+                    ExFreePool(FCB->ListenIrp.ConnectionCallInfo);
+                    FCB->ListenIrp.ConnectionCallInfo = NULL;
+                }
+
 	        return UnlockAndMaybeComplete( FCB, STATUS_NO_MEMORY, Irp, 0 );
+            }
 
 	    Status = TdiListen( &FCB->ListenIrp.InFlightRequest,
 				FCB->Connection.Object,

Modified: trunk/reactos/drivers/network/afd/afd/main.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/ma…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] Tue Mar 31 02:20:12 2009
@@ -142,11 +142,14 @@
 	/* Allocate our backup buffer */
 	FCB->Recv.Window = ExAllocatePool( NonPagedPool, FCB->Recv.Size );
 	if( !FCB->Recv.Window ) Status = STATUS_NO_MEMORY;
-        FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
-	if( !FCB->Send.Window ) {
-	    if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
-	    Status = STATUS_NO_MEMORY;
-	}
+        if( NT_SUCCESS(Status) )
+        {
+            FCB->Send.Window = ExAllocatePool( NonPagedPool, FCB->Send.Size );
+	    if( !FCB->Send.Window ) {
+	         if( FCB->Recv.Window ) ExFreePool( FCB->Recv.Window );
+	         Status = STATUS_NO_MEMORY;
+            }
+	     }
 	/* A datagram socket is always sendable */
 	FCB->PollState |= AFD_EVENT_SEND;
         PollReeval( FCB->DeviceExt, FCB->FileObject );
@@ -235,6 +238,8 @@
     AFD_DbgPrint(MID_TRACE,
 		 ("AfdClose(DeviceObject %p Irp %p)\n", DeviceObject, Irp));
 
+    if( !SocketAcquireStateLock( FCB ) ) return LostSocket( Irp );
+
     AFD_DbgPrint(MID_TRACE,("FCB %x\n", FCB));
 
     FCB->PollState |= AFD_EVENT_CLOSE;
@@ -244,11 +249,13 @@
     if( FCB->EventSelect ) ObDereferenceObject( FCB->EventSelect );
 
     FileObject->FsContext = NULL;
+    SocketStateUnlock( FCB );
+
     DestroySocket( FCB );
 
     Irp->IoStatus.Status = STATUS_SUCCESS;
     Irp->IoStatus.Information = 0;
-    IoCompleteRequest(Irp, IO_NO_INCREMENT);
+    IoCompleteRequest(Irp, IO_NETWORK_INCREMENT);
 
     AFD_DbgPrint(MID_TRACE, ("Returning success.\n"));
 


    