Author: cgutman Date: Tue Aug 18 20:53:10 2009 New Revision: 42770 URL: http://svn.reactos.org/svn/reactos?rev=42770&view=rev Log: - Make sure HeapAlloc returned a valid pointer - Fix some memory leaks - Return a better status for STATUS_INSUFFICIENT_RESOURCES and STATUS_NO_MEMORY - Fix a potential null pointer dereference in SetSocketInformation and GetSocketInformation - Initialize RemoteAddress so we aren't trying to copy the remote address to 0 - Found by Amine Khaldi Modified: trunk/reactos/dll/win32/msafd/misc/dllmain.c trunk/reactos/dll/win32/msafd/misc/sndrcv.c Modified: trunk/reactos/dll/win32/msafd/misc/dllmain.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msafd/misc/dllma… ============================================================================== --- trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/msafd/misc/dllmain.c [iso-8859-1] Tue Aug 18 20:53:10 2009 @@ -98,6 +98,9 @@ /* Set Socket Data */ Socket = HeapAlloc(GlobalHeap, 0, sizeof(*Socket)); + if (!Socket) + return MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL); + RtlZeroMemory(Socket, sizeof(*Socket)); Socket->RefCount = 2; Socket->Handle = -1; @@ -140,6 +143,9 @@ /* Set up EA Buffer */ EABuffer = HeapAlloc(GlobalHeap, 0, SizeOfEA); + if (!EABuffer) + return MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL); + RtlZeroMemory(EABuffer, SizeOfEA); EABuffer->NextEntryOffset = 0; EABuffer->Flags = 0; @@ -240,6 +246,8 @@ EABuffer, SizeOfEA); + HeapFree(GlobalHeap, 0, EABuffer); + /* Save Handle */ Socket->Handle = (SOCKET)Sock; @@ -290,6 +298,9 @@ error: AFD_DbgPrint(MID_TRACE,("Ending %x\n", Status)); + + if( Socket ) + HeapFree(GlobalHeap, 0, Socket); if( lpErrno ) *lpErrno = Status; @@ -335,7 +346,7 @@ case STATUS_NO_MEMORY: /* Fall through to STATUS_INSUFFICIENT_RESOURCES */ case STATUS_INSUFFICIENT_RESOURCES: DbgPrint("MSAFD: STATUS_NO_MEMORY/STATUS_INSUFFICIENT_RESOURCES\n"); - *Errno = WSA_NOT_ENOUGH_MEMORY; + *Errno = WSANOBUFS; break; case STATUS_INVALID_CONNECTION: DbgPrint("MSAFD: STATUS_INVALID_CONNECTION\n"); @@ -1038,6 +1049,11 @@ { /* Allocate needed space */ PendingData = HeapAlloc(GlobalHeap, 0, PendingDataLength); + if (!PendingData) + { + MsafdReturnWithErrno( STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL ); + return INVALID_SOCKET; + } /* We want the data now */ PendingAcceptData.ReturnSize = FALSE; @@ -1079,6 +1095,13 @@ CalleeID.buf = (PVOID)Socket->LocalAddress; CalleeID.len = Socket->SharedData.SizeOfLocalAddress; + RemoteAddress = HeapAlloc(GlobalHeap, 0, sizeof(*RemoteAddress)); + if (!RemoteAddress) + { + MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL); + return INVALID_SOCKET; + } + /* Set up Address in SOCKADDR Format */ RtlCopyMemory (RemoteAddress, &ListenReceiveData->Address.Address[0].AddressType, @@ -1097,6 +1120,10 @@ { /* Allocate Buffer for Callee Data */ CalleeDataBuffer = HeapAlloc(GlobalHeap, 0, 4096); + if (!CalleeDataBuffer) { + MsafdReturnWithErrno( STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL ); + return INVALID_SOCKET; + } CalleeData.buf = CalleeDataBuffer; CalleeData.len = 4096; } @@ -1288,6 +1315,11 @@ /* Get the Wildcard Address */ BindAddressLength = Socket->HelperData->MaxWSAddressLength; BindAddress = HeapAlloc(GetProcessHeap(), 0, BindAddressLength); + if (!BindAddress) + { + MsafdReturnWithErrno( STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL ); + return INVALID_SOCKET; + } Socket->HelperData->WSHGetWildcardSockaddr (Socket->HelperContext, BindAddress, &BindAddressLength); @@ -1938,7 +1970,10 @@ } /* Return Information */ - *Ulong = InfoData.Information.Ulong; + if (Ulong != NULL) + { + *Ulong = InfoData.Information.Ulong; + } if (LargeInteger != NULL) { *LargeInteger = InfoData.Information.LargeInteger; @@ -1975,7 +2010,10 @@ InfoData.InformationClass = AfdInformationClass; /* Set Information */ - InfoData.Information.Ulong = *Ulong; + if (Ulong != NULL) + { + InfoData.Information.Ulong = *Ulong; + } if (LargeInteger != NULL) { InfoData.Information.LargeInteger = *LargeInteger; @@ -2491,6 +2529,7 @@ /* Wait on new events */ AsyncData = HeapAlloc(GetProcessHeap(), 0, sizeof(ASYNC_DATA)); + if (!AsyncData) return; /* Create the Asynch Thread if Needed */ SockCreateOrReferenceAsyncThread(); @@ -2538,6 +2577,7 @@ /* Allocate Heap for 1024 Sockets, can be expanded later */ Sockets = HeapAlloc(GetProcessHeap(), 0, sizeof(PSOCKET_INFORMATION) * 1024); + if (!Sockets) return FALSE; AFD_DbgPrint(MAX_TRACE, ("MSAFD.DLL has been loaded\n")); Modified: trunk/reactos/dll/win32/msafd/misc/sndrcv.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msafd/misc/sndrc… ============================================================================== --- trunk/reactos/dll/win32/msafd/misc/sndrcv.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/msafd/misc/sndrcv.c [iso-8859-1] Tue Aug 18 20:53:10 2009 @@ -32,6 +32,11 @@ /* Allocate the Async Data Structure to pass on to the Thread later */ AsyncData = HeapAlloc(GetProcessHeap(), 0, sizeof(*AsyncData)); + if (!AsyncData) + { + MsafdReturnWithErrno( STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL ); + return INVALID_SOCKET; + } /* Change the Socket to Non Blocking */ BlockMode = 1; @@ -533,6 +538,11 @@ /* Get the Wildcard Address */ BindAddressLength = Socket->HelperData->MaxWSAddressLength; BindAddress = HeapAlloc(GlobalHeap, 0, BindAddressLength); + if (!BindAddress) + { + MsafdReturnWithErrno( STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL ); + return INVALID_SOCKET; + } Socket->HelperData->WSHGetWildcardSockaddr (Socket->HelperContext, BindAddress, &BindAddressLength);