[janderwald] 55525: [USBEHCI] [USBOHCI] - Don't corrupt memory when a queue head / transfer descriptor is freed - How did this work before... - Ros-diffs

10 Feb 2012

Author: janderwald
Date: Fri Feb 10 16:28:35 2012
New Revision: 55525
URL: http://svn.reactos.org/svn/reactos?rev=55525&view=rev
Log:
[USBEHCI] [USBOHCI]
- Don't corrupt memory when a queue head / transfer descriptor is freed
- How did this work before...
Modified:
    branches/usb-bringup-trunk/drivers/usb/usbehci/memory_manager.cpp
    branches/usb-bringup-trunk/drivers/usb/usbohci/memory_manager.cpp
Modified: branches/usb-bringup-trunk/drivers/usb/usbehci/memory_manager.cpp
URL: http://svn.reactos.org/svn/reactos/branches/usb-bringup-trunk/drivers/usb/us...
==============================================================================

--- branches/usb-bringup-trunk/drivers/usb/usbehci/memory_manager.cpp [iso-8859-1] (original)
+++ branches/usb-bringup-trunk/drivers/usb/usbehci/memory_manager.cpp [iso-8859-1] Fri Feb 10 16:28:35 2012
@@ -271,7 +271,7 @@
     IN ULONG Size)
 {
     KIRQL OldLevel;
-    ULONG BlockOffset = 0, BlockLength;
+    ULONG BlockOffset = 0, BlockLength, BlockCount;
//
     // sanity checks
@@ -302,14 +302,25 @@
     Size = (Size + m_BlockSize - 1) & ~(m_BlockSize - 1);
//
+    // convert to blocks
+    //
+    BlockCount = Size / m_BlockSize;
+    ASSERT(BlockCount);
+
+    //
     // acquire lock
     //
     KeAcquireSpinLock(m_Lock, &OldLevel);
//
+    // sanity check
+    //
+    ASSERT(RtlAreBitsSet(&m_Bitmap, BlockOffset, BlockCount));
+
+    //
     // release buffer
     //
-    RtlClearBits(&m_Bitmap, BlockOffset, Size);
+    RtlClearBits(&m_Bitmap, BlockOffset, BlockCount);
//
     // release lock
Modified: branches/usb-bringup-trunk/drivers/usb/usbohci/memory_manager.cpp
URL: http://svn.reactos.org/svn/reactos/branches/usb-bringup-trunk/drivers/usb/us...
==============================================================================
--- branches/usb-bringup-trunk/drivers/usb/usbohci/memory_manager.cpp [iso-8859-1] (original)
+++ branches/usb-bringup-trunk/drivers/usb/usbohci/memory_manager.cpp [iso-8859-1] Fri Feb 10 16:28:35 2012
@@ -271,7 +271,7 @@
     IN ULONG Size)
 {
     KIRQL OldLevel;
-    ULONG BlockOffset = 0, BlockLength;
+    ULONG BlockOffset = 0, BlockLength, BlockCount;
//
     // sanity checks
@@ -302,14 +302,25 @@
     Size = (Size + m_BlockSize - 1) & ~(m_BlockSize - 1);
//
+    // convert to blocks
+    //
+    BlockCount = Size / m_BlockSize;
+    ASSERT(BlockCount);
+
+    //
     // acquire lock
     //
     KeAcquireSpinLock(m_Lock, &OldLevel);
//
+    // sanity check
+    //
+    ASSERT(RtlAreBitsSet(&m_Bitmap, BlockOffset, BlockCount));
+
+    //
     // release buffer
     //
-    RtlClearBits(&m_Bitmap, BlockOffset, Size);
+    RtlClearBits(&m_Bitmap, BlockOffset, BlockCount);
//
     // release lock

    