Fix use of a potentially freed net_buffer.
The buffer may have been freed if its data was added to the queue, but later the buffer size was still read from the object. A spurious acknowledge may have been sent, or one would have gone missing, depending on what happened with the allocation after it was freed.
This commit is contained in:
parent
01762bd57f
commit
24a15a69a8
@ -1703,7 +1703,11 @@ TCPEndpoint::_Receive(tcp_segment_header& segment, net_buffer* buffer)
|
||||
|
||||
bool notify = false;
|
||||
|
||||
if ((buffer->size > 0 || (segment.flags & TCP_FLAG_FINISH) != 0)
|
||||
// The buffer may be freed if its data is added to the queue, so cache
|
||||
// the size as we still need it later.
|
||||
uint32 bufferSize = buffer->size;
|
||||
|
||||
if ((bufferSize > 0 || (segment.flags & TCP_FLAG_FINISH) != 0)
|
||||
&& _ShouldReceive())
|
||||
notify = _AddData(segment, buffer);
|
||||
else {
|
||||
@ -1757,7 +1761,7 @@ TCPEndpoint::_Receive(tcp_segment_header& segment, net_buffer* buffer)
|
||||
if (notify)
|
||||
_NotifyReader();
|
||||
|
||||
if (buffer->size > 0 || (segment.flags & TCP_FLAG_SYNCHRONIZE) != 0)
|
||||
if (bufferSize > 0 || (segment.flags & TCP_FLAG_SYNCHRONIZE) != 0)
|
||||
action |= ACKNOWLEDGE;
|
||||
|
||||
_UpdateTimestamps(segment, segmentLength);
|
||||
|
Loading…
Reference in New Issue
Block a user