[TCPIP]
authorCameron Gutman <aicommander@gmail.com>
Mon, 5 Dec 2011 03:51:01 +0000 (03:51 +0000)
committerCameron Gutman <aicommander@gmail.com>
Mon, 5 Dec 2011 03:51:01 +0000 (03:51 +0000)
- Fix the overflow fix

svn path=/trunk/; revision=54598

reactos/drivers/network/tcpip/include/receive.h
reactos/lib/drivers/ip/network/receive.c

index 51a8bda..d9884a8 100644 (file)
@@ -38,7 +38,7 @@ typedef struct IPDATAGRAM_REASSEMBLY {
     IP_ADDRESS DstAddr;          /* Destination address */
     UCHAR Protocol;              /* Internet Protocol number */
     USHORT Id;                   /* Identification number */
-    IP_HEADER IPv4Header;        /* Pointer to IP header */
+    PIP_HEADER IPv4Header;       /* Pointer to IP header */
     UINT HeaderSize;             /* Length of IP header */
     LIST_ENTRY FragmentListHead; /* IP fragment list */
     LIST_ENTRY HoleListHead;     /* IP datagram hole list */
index 3273e27..eb2ece3 100644 (file)
@@ -108,6 +108,12 @@ VOID FreeIPDR(
     CurrentEntry = NextEntry;
   }
 
+  if (IPDR->IPv4Header)
+  {
+      TI_DbgPrint(DEBUG_IP, ("Freeing IPDR header at (0x%X).\n", IPDR->IPv4Header));
+      ExFreePoolWithTag(IPDR->IPv4Header, PACKET_BUFFER_TAG);
+  }
+
   TI_DbgPrint(DEBUG_IP, ("Freeing IPDR data at (0x%X).\n", IPDR));
 
   ExFreeToNPagedLookasideList(&IPDRList, IPDR);
@@ -218,7 +224,7 @@ ReassembleDatagram(
   IPPacket->MappedHeader = FALSE;
 
   /* Copy the header into the buffer */
-  RtlCopyMemory(IPPacket->Header, &IPDR->IPv4Header, sizeof(IPDR->IPv4Header));
+  RtlCopyMemory(IPPacket->Header, IPDR->IPv4Header, IPDR->HeaderSize);
 
   Data = (PVOID)((ULONG_PTR)IPPacket->Header + IPDR->HeaderSize);
   IPPacket->Data = Data;
@@ -394,11 +400,21 @@ VOID ProcessFragment(
 
     /* If this is the first fragment, save the IP header */
     if (FragFirst == 0) {
-      TI_DbgPrint(DEBUG_IP, ("First fragment found. Header buffer is at (0x%X). "
-        "Header size is (%d).\n", &IPDR->IPv4Header, IPPacket->HeaderSize));
+        IPDR->IPv4Header = ExAllocatePoolWithTag(NonPagedPool,
+                                                 IPPacket->HeaderSize,
+                                                 PACKET_BUFFER_TAG);
+        if (!IPDR->IPv4Header)
+        {
+            Cleanup(&IPDR->Lock, OldIrql, IPDR);
+            return;
+        }
+
+        RtlCopyMemory(IPDR->IPv4Header, IPPacket->Header, IPPacket->HeaderSize);
+        IPDR->HeaderSize = IPPacket->HeaderSize;
+
+        TI_DbgPrint(DEBUG_IP, ("First fragment found. Header buffer is at (0x%X). "
+                               "Header size is (%d).\n", &IPDR->IPv4Header, IPPacket->HeaderSize));
 
-      RtlCopyMemory(&IPDR->IPv4Header, IPPacket->Header, sizeof(IPDR->IPv4Header));
-      IPDR->HeaderSize = sizeof(IPDR->IPv4Header);
     }
 
     /* Create a buffer, copy the data into it and put it