[cgutman] 53188: [LWIP] - Fix a buffer overflow when the packet queue has more packets than the receive request can take - Remove an extra variable - Ros-diffs

11 Aug 2011

Author: cgutman
Date: Thu Aug 11 21:22:00 2011
New Revision: 53188
URL: http://svn.reactos.org/svn/reactos?rev=53188&view=rev
Log:
[LWIP]
- Fix a buffer overflow when the packet queue has more packets than the receive request can take
- Remove an extra variable
Modified:
    trunk/reactos/lib/drivers/lwip/src/rostcp.c
Modified: trunk/reactos/lib/drivers/lwip/src/rostcp.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/lwip/src/rostcp...
==============================================================================

--- trunk/reactos/lib/drivers/lwip/src/rostcp.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/lwip/src/rostcp.c [iso-8859-1] Thu Aug 11 21:22:00 2011
@@ -83,11 +83,10 @@
     PQUEUE_ENTRY qp;
     struct pbuf* p;
     NTSTATUS Status = STATUS_PENDING;
-    UINT ReadLength, ExistingDataLength, SpaceLeft;
+    UINT ReadLength, ExistingDataLength;
     KIRQL OldIrql;
(*Received) = 0;
-    SpaceLeft = RecvLen;
LockObject(Connection, &OldIrql);
@@ -100,7 +99,7 @@
Status = STATUS_SUCCESS;
-            ReadLength = MIN(p->tot_len, SpaceLeft);
+            ReadLength = MIN(p->tot_len, RecvLen);
             if (ReadLength != p->tot_len)
             {
                 if (ExistingDataLength)
@@ -128,7 +127,7 @@
LockObject(Connection, &OldIrql);
-            SpaceLeft -= ReadLength;
+            RecvLen -= ReadLength;
/* Use this special pbuf free callback function because we're outside tcpip thread */
             pbuf_free_callback(qp->p);
@@ -207,6 +206,8 @@
return ERR_OK;
     }
+
+    ASSERT(!LibTCPDequeuePacket(Connection));
if (p)
     {

    