Skip to content

Commit

Permalink
driver: prevent access to already deleted object
Browse files Browse the repository at this point in the history
daynix#81
If during redirection the redirection object is deleted
we may try accessing the deleted object in the loop of
attempts to create the redirection handle.
To avoid this we reference the redirection object until
the redirection request completely satisfied or failed.

Signed-off-by: Yuri Benditovich <[email protected]>
  • Loading branch information
ybendito authored and YanVugenfirer committed Jan 2, 2020
1 parent 7c93e05 commit 65f7251
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions UsbDk/ControlDevice.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,8 @@ NTSTATUS CUsbDkControlDevice::AddRedirect(const USB_DK_DEVICE_ID &DeviceId, HAND
{
return addRes;
}
Redirection->AddRef();
CObjHolder<CUsbDkRedirection, CRefCountingDeleter> dereferencer(Redirection);

TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_CONTROLDEVICE, "%!FUNC! Success. New redirections list:");
m_Redirections.Dump();
Expand Down Expand Up @@ -1198,6 +1200,12 @@ NTSTATUS CUsbDkRedirection::CreateRedirectorHandle(HANDLE RequestorProcess, PHAN

do
{
if (IsPreparedForRemove())
{
TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_WDFDEVICE, "%!FUNC!: device already marked for removal");
status = STATUS_DEVICE_REMOVED;
break;
}
status = m_RedirectorDevice->CreateUserModeHandle(RequestorProcess, ObjectHandle);
if (NT_SUCCESS(status))
{
Expand Down

0 comments on commit 65f7251

Please sign in to comment.