From: Cameron Gutman Date: Mon, 5 Dec 2011 03:51:01 +0000 (+0000) Subject: [TCPIP] X-Git-Tag: backups/usb-bringup@55523~3^2~203 X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=b8680bd68689673572631014cc1b2e2804e92c01;hp=b855c23983898c2650dcb4e7db62251c4159e719 [TCPIP] - Fix the overflow fix svn path=/trunk/; revision=54598 --- diff --git a/reactos/drivers/network/tcpip/include/receive.h b/reactos/drivers/network/tcpip/include/receive.h index 51a8bdad182..d9884a8c589 100644 --- a/reactos/drivers/network/tcpip/include/receive.h +++ b/reactos/drivers/network/tcpip/include/receive.h @@ -38,7 +38,7 @@ typedef struct IPDATAGRAM_REASSEMBLY { IP_ADDRESS DstAddr; /* Destination address */ UCHAR Protocol; /* Internet Protocol number */ USHORT Id; /* Identification number */ - IP_HEADER IPv4Header; /* Pointer to IP header */ + PIP_HEADER IPv4Header; /* Pointer to IP header */ UINT HeaderSize; /* Length of IP header */ LIST_ENTRY FragmentListHead; /* IP fragment list */ LIST_ENTRY HoleListHead; /* IP datagram hole list */ diff --git a/reactos/lib/drivers/ip/network/receive.c b/reactos/lib/drivers/ip/network/receive.c index 3273e272ac3..eb2ece33b80 100644 --- a/reactos/lib/drivers/ip/network/receive.c +++ b/reactos/lib/drivers/ip/network/receive.c @@ -108,6 +108,12 @@ VOID FreeIPDR( CurrentEntry = NextEntry; } + if (IPDR->IPv4Header) + { + TI_DbgPrint(DEBUG_IP, ("Freeing IPDR header at (0x%X).\n", IPDR->IPv4Header)); + ExFreePoolWithTag(IPDR->IPv4Header, PACKET_BUFFER_TAG); + } + TI_DbgPrint(DEBUG_IP, ("Freeing IPDR data at (0x%X).\n", IPDR)); ExFreeToNPagedLookasideList(&IPDRList, IPDR); @@ -218,7 +224,7 @@ ReassembleDatagram( IPPacket->MappedHeader = FALSE; /* Copy the header into the buffer */ - RtlCopyMemory(IPPacket->Header, &IPDR->IPv4Header, sizeof(IPDR->IPv4Header)); + RtlCopyMemory(IPPacket->Header, IPDR->IPv4Header, IPDR->HeaderSize); Data = (PVOID)((ULONG_PTR)IPPacket->Header + IPDR->HeaderSize); IPPacket->Data = Data; @@ -394,11 +400,21 @@ VOID ProcessFragment( /* If this is the first fragment, save the IP header */ if (FragFirst == 0) { - TI_DbgPrint(DEBUG_IP, ("First fragment found. Header buffer is at (0x%X). " - "Header size is (%d).\n", &IPDR->IPv4Header, IPPacket->HeaderSize)); + IPDR->IPv4Header = ExAllocatePoolWithTag(NonPagedPool, + IPPacket->HeaderSize, + PACKET_BUFFER_TAG); + if (!IPDR->IPv4Header) + { + Cleanup(&IPDR->Lock, OldIrql, IPDR); + return; + } + + RtlCopyMemory(IPDR->IPv4Header, IPPacket->Header, IPPacket->HeaderSize); + IPDR->HeaderSize = IPPacket->HeaderSize; + + TI_DbgPrint(DEBUG_IP, ("First fragment found. Header buffer is at (0x%X). " + "Header size is (%d).\n", &IPDR->IPv4Header, IPPacket->HeaderSize)); - RtlCopyMemory(&IPDR->IPv4Header, IPPacket->Header, sizeof(IPDR->IPv4Header)); - IPDR->HeaderSize = sizeof(IPDR->IPv4Header); } /* Create a buffer, copy the data into it and put it