From 3b610947b2e25051428c2df832a0f4771b57ad37 Mon Sep 17 00:00:00 2001 From: Daniel Miller Date: Thu, 9 Jul 2020 12:00:45 -0500 Subject: [PATCH] Fix double-free: don't keep track of opens we've already freed in NPF_Cleanup --- packetWin7/npf/npf/Openclos.c | 5 ----- packetWin7/npf/npf/Packet.c | 26 ++++++++++++++++---------- packetWin7/npf/npf/Packet.h | 2 -- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/packetWin7/npf/npf/Openclos.c b/packetWin7/npf/npf/Openclos.c index 8cd559c1..b263b94e 100644 --- a/packetWin7/npf/npf/Openclos.c +++ b/packetWin7/npf/npf/Openclos.c @@ -925,11 +925,6 @@ NPF_DetachOpenInstance( } pOpen->pFiltMod = NULL; - - ExInterlockedPushEntryList( - &pOpen->DeviceExtension->DetachedOpens, - &pOpen->OpenInstancesEntry, - &pOpen->DeviceExtension->DetachedOpensLock); } //------------------------------------------------------------------- diff --git a/packetWin7/npf/npf/Packet.c b/packetWin7/npf/npf/Packet.c index 171095f3..da496a98 100644 --- a/packetWin7/npf/npf/Packet.c +++ b/packetWin7/npf/npf/Packet.c @@ -423,8 +423,6 @@ DriverEntry( } devExtP->ExportString = deviceSymLink.Buffer; - devExtP->DetachedOpens.Next = NULL; - KeInitializeSpinLock(&devExtP->DetachedOpensLock); /* Have to set this up before NdisFRegisterFilterDriver, since we can get Attach calls immediately after that! */ NdisAllocateSpinLock(&g_FilterArrayLock); @@ -878,13 +876,14 @@ Return Value: --*/ { - PSINGLE_LIST_ENTRY Curr = NULL; + PLIST_ENTRY CurrEntry = NULL; PDEVICE_OBJECT DeviceObject; PDEVICE_OBJECT OldDeviceObject; PDEVICE_EXTENSION DeviceExtension; NDIS_STATUS Status; NDIS_STRING SymLink; NDIS_EVENT Event; + LOCK_STATE_EX lockState; TRACE_ENTER(); @@ -937,16 +936,23 @@ Return Value: TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "Deleting Adapter, Device Obj=%p (%p)", DeviceObject, OldDeviceObject); - Curr = DeviceExtension->DetachedOpens.Next; - while (Curr != NULL) + NdisAcquireRWLockWrite(DeviceExtension->AllOpensLock, &lockState, 0); + for (CurrEntry = DeviceExtension->AllOpens.Flink; + CurrEntry != &DeviceExtension->AllOpens; + CurrEntry = CurrEntry->Flink) { - POPEN_INSTANCE pOpen = CONTAINING_RECORD(Curr, OPEN_INSTANCE, OpenInstancesEntry); - Curr = Curr->Next; + POPEN_INSTANCE pOpen = CONTAINING_RECORD(CurrEntry, OPEN_INSTANCE, AllOpensEntry); + if (pOpen->OpenStatus == OpenDetached) + { + CurrEntry = CurrEntry->Blink; + RemoveEntryList(&pOpen->AllOpensEntry); - NPF_CloseOpenInstance(pOpen); - NPF_ReleaseOpenInstanceResources(pOpen); - ExFreePool(pOpen); + NPF_CloseOpenInstance(pOpen); + NPF_ReleaseOpenInstanceResources(pOpen); + ExFreePool(pOpen); + } } + NdisReleaseRWLock(DeviceExtension->AllOpensLock, &lockState); if (DeviceExtension->ExportString) { diff --git a/packetWin7/npf/npf/Packet.h b/packetWin7/npf/npf/Packet.h index 4211186e..9929274a 100644 --- a/packetWin7/npf/npf/Packet.h +++ b/packetWin7/npf/npf/Packet.h @@ -250,8 +250,6 @@ typedef struct _DEVICE_EXTENSION { PWSTR ExportString; ///< Name of the exported device, i.e. name that the applications will use ///< to open this adapter through Packet.dll. - SINGLE_LIST_ENTRY DetachedOpens; //GroupHead - KSPIN_LOCK DetachedOpensLock; // GroupLock LIST_ENTRY AllOpens; PNDIS_RW_LOCK_EX AllOpensLock; NDIS_HANDLE FilterDriverHandle;