[cgutman] 63899: [TCPIP] - Reference the address file while delivering data to avoid a use after free when an address file is closed during datagram delivery - Ros-diffs

17 Aug 2014

Author: cgutman
Date: Sun Aug 17 04:03:29 2014
New Revision: 63899

URL: http://svn.reactos.org/svn/reactos?rev=63899&view=rev
Log:
[TCPIP]
- Reference the address file while delivering data to avoid a use after free when an
address file is closed during datagram delivery

Modified:
    trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c
    trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c
    trunk/reactos/lib/drivers/ip/transport/udp/udp.c

Modified: trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/tcpip/tcpi…
==============================================================================

--- trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/tcpip/tcpip/fileobjs.c	[iso-8859-1] Sun Aug 17 04:03:29
2014
@@ -222,7 +222,7 @@
  * ARGUMENTS:
  *     SearchContext = Pointer to search context
  * RETURNS:
- *     Pointer to address file, NULL if none was found
+ *     Pointer to referenced address file, NULL if none was found
  */
 PADDRESS_FILE AddrSearchNext(
     PAF_SEARCH SearchContext)
@@ -232,6 +232,7 @@
     KIRQL OldIrql;
     PADDRESS_FILE Current = NULL;
     BOOLEAN Found = FALSE;
+    PADDRESS_FILE StartingAddrFile;
     
     TcpipAcquireSpinLock(&AddressFileListLock, &OldIrql);
 
@@ -241,8 +242,8 @@
         return NULL;
     }
 
-    /* Remove the extra reference we added to keep this address file in memory */
-    DereferenceObject(CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE,
ListEntry));
+    /* Save this pointer so we can dereference it later */
+    StartingAddrFile = CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE,
ListEntry);
 
     CurrentEntry = SearchContext->Next;
 
@@ -279,9 +280,15 @@
             /* Reference the next address file to prevent the link from disappearing
behind our back */
             ReferenceObject(CONTAINING_RECORD(SearchContext->Next, ADDRESS_FILE,
ListEntry));
         }
+
+        /* Reference the returned address file before dereferencing the starting
+         * address file because it may be that Current == StartingAddrFile */
+        ReferenceObject(Current);
     }
     else
         Current = NULL;
+
+    DereferenceObject(StartingAddrFile);
 
     TcpipReleaseSpinLock(&AddressFileListLock, OldIrql);
 

Modified: trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/r…
==============================================================================
--- trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c	[iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/ip/transport/rawip/rawip.c	[iso-8859-1] Sun Aug 17 04:03:29
2014
@@ -321,6 +321,7 @@
                     0,
                     IPPacket,
                     DataSize);
+      DereferenceObject(AddrFile);
     } while ((AddrFile = AddrSearchNext(&SearchContext)) != NULL);
   } else {
     /* There are no open address files that will take this datagram */

Modified: trunk/reactos/lib/drivers/ip/transport/udp/udp.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/ip/transport/u…
==============================================================================
--- trunk/reactos/lib/drivers/ip/transport/udp/udp.c	[iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/ip/transport/udp/udp.c	[iso-8859-1] Sun Aug 17 04:03:29
2014
@@ -320,6 +320,7 @@
 		    UDPHeader->DestPort,
                     IPPacket,
                     DataSize);
+      DereferenceObject(AddrFile);
     } while ((AddrFile = AddrSearchNext(&SearchContext)) != NULL);
   } else {
     /* There are no open address files that will take this datagram */



    