Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-11889

PATCH - [TCPIP] Avoid use-after-free of IPDATAGRAM_REASSEMBLY structures

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Fix Version/s: 0.4.3
    • Component/s: Networking
    • Labels:
    • Module:
    • Sprint:
      September 2016

      Description

      The affected code steps through a linked list of IPDATAGRAM_REASSEMBLY structures and releases them all back to a nonpaged lookaside list. Each time, the next entry in the list is being found by following a pointer in the current structure, while it has already been released to the lookaside list. This should be corrected in the attached patch.

      Note that the Flink field in the LIST_ENTRY that is used to find the next entry coincides with the Next field SLIST_ENTRY. So the current situation would be corrupting either the lookaside list the entry was released to, or the non-paged pool if the lookaside list was full. This would very easily lead to a bugcheck, so this particular piece of code may not be executed frequently (only when the driver is unloaded it seems).

        Attachments

          Activity

            People

            • Assignee:
              AmineKhaldi AmineKhaldi
              Reporter:
              rome Roel Messiant
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: