Fix use of a potentially freed net_buffer.

The buffer may have been freed if its data was added to the queue, but
later the buffer size was still read from the object. A spurious
acknowledge may have been sent, or one would have gone missing,
depending on what happened with the allocation after it was freed.
This commit is contained in:
Michael Lotz 2011-12-04 02:34:35 +01:00
parent 01762bd57f
commit 24a15a69a8

View File

@ -1703,7 +1703,11 @@ TCPEndpoint::_Receive(tcp_segment_header& segment, net_buffer* buffer)
bool notify = false;
if ((buffer->size > 0 || (segment.flags & TCP_FLAG_FINISH) != 0)
// The buffer may be freed if its data is added to the queue, so cache
// the size as we still need it later.
uint32 bufferSize = buffer->size;
if ((bufferSize > 0 || (segment.flags & TCP_FLAG_FINISH) != 0)
&& _ShouldReceive())
notify = _AddData(segment, buffer);
else {
@ -1757,7 +1761,7 @@ TCPEndpoint::_Receive(tcp_segment_header& segment, net_buffer* buffer)
if (notify)
_NotifyReader();
if (buffer->size > 0 || (segment.flags & TCP_FLAG_SYNCHRONIZE) != 0)
if (bufferSize > 0 || (segment.flags & TCP_FLAG_SYNCHRONIZE) != 0)
action |= ACKNOWLEDGE;
_UpdateTimestamps(segment, segmentLength);