[reactos] 01/01: [NTOSKRNL:FSRTL] Fix memory corruption when pruning tunnel cache - Ros-diffs

4 Dec 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0db79d4aa9d625a91ddb6f...
commit 0db79d4aa9d625a91ddb6f9b3ff9f830cd796672
Author:     Jérôme Gardou jerome.gardou@reactos.org
AuthorDate: Fri Dec 4 16:02:26 2020 +0100
Commit:     Jérôme Gardou jerome.gardou@reactos.org
CommitDate: Fri Dec 4 16:08:14 2020 +0100
[NTOSKRNL:FSRTL] Fix memory corruption when pruning tunnel cache
---
 ntoskrnl/fsrtl/tunnel.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ntoskrnl/fsrtl/tunnel.c b/ntoskrnl/fsrtl/tunnel.c
index 7f40f466192..a14acc5e02a 100644
--- a/ntoskrnl/fsrtl/tunnel.c
+++ b/ntoskrnl/fsrtl/tunnel.c
@@ -42,7 +42,7 @@ FsRtlFreeTunnelNode(
 {
     if (PoolList)
     {
-        /* divert the linked list entry, it's not required anymore, but we need it */ 
+        /* divert the linked list entry, it's not required anymore, but we need it */
         InsertHeadList(PoolList, &CurEntry->TimerQueueEntry);
         return;
     }
@@ -124,7 +124,8 @@ FsRtlPruneTunnelCache(
     /* If we have too many entries */
     while (Cache->NumEntries > TunnelMaxEntries)
     {
-        CurEntry = CONTAINING_RECORD(Entry, TUNNEL_NODE_ENTRY, TimerQueueEntry);
+        ASSERT(!IsListEmpty(&Cache->TimerQueue));
+        CurEntry = CONTAINING_RECORD(Cache->TimerQueue.Flink, TUNNEL_NODE_ENTRY, TimerQueueEntry);
         FsRtlRemoveNodeFromTunnel(Cache, CurEntry, PoolList, &Rebalance);
     }
 }
@@ -477,7 +478,7 @@ FsRtlAddToTunnelCache(IN PTUNNEL Cache,
                   RtlInsertAsRightChild(RtlParent(CurEntry), NodeEntry);
               }
          }
-         
+
          /* remove entry */
          RemoveEntryList(&((PTUNNEL_NODE_ENTRY)CurEntry)->TimerQueueEntry);

    