https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0db79d4aa9d625a91ddb6… commit 0db79d4aa9d625a91ddb6f9b3ff9f830cd796672 Author: Jérôme Gardou <jerome.gardou(a)reactos.org> AuthorDate: Fri Dec 4 16:02:26 2020 +0100 Commit: Jérôme Gardou <jerome.gardou(a)reactos.org> CommitDate: Fri Dec 4 16:08:14 2020 +0100 [NTOSKRNL:FSRTL] Fix memory corruption when pruning tunnel cache --- ntoskrnl/fsrtl/tunnel.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ntoskrnl/fsrtl/tunnel.c b/ntoskrnl/fsrtl/tunnel.c index 7f40f466192..a14acc5e02a 100644 --- a/ntoskrnl/fsrtl/tunnel.c +++ b/ntoskrnl/fsrtl/tunnel.c @@ -42,7 +42,7 @@ FsRtlFreeTunnelNode( { if (PoolList) { - /* divert the linked list entry, it's not required anymore, but we need it */ + /* divert the linked list entry, it's not required anymore, but we need it */ InsertHeadList(PoolList, &CurEntry->TimerQueueEntry); return; } @@ -124,7 +124,8 @@ FsRtlPruneTunnelCache( /* If we have too many entries */ while (Cache->NumEntries > TunnelMaxEntries) { - CurEntry = CONTAINING_RECORD(Entry, TUNNEL_NODE_ENTRY, TimerQueueEntry); + ASSERT(!IsListEmpty(&Cache->TimerQueue)); + CurEntry = CONTAINING_RECORD(Cache->TimerQueue.Flink, TUNNEL_NODE_ENTRY, TimerQueueEntry); FsRtlRemoveNodeFromTunnel(Cache, CurEntry, PoolList, &Rebalance); } } @@ -477,7 +478,7 @@ FsRtlAddToTunnelCache(IN PTUNNEL Cache, RtlInsertAsRightChild(RtlParent(CurEntry), NodeEntry); } } - + /* remove entry */ RemoveEntryList(&((PTUNNEL_NODE_ENTRY)CurEntry)->TimerQueueEntry);