From: Sebastian Lackner <sebastian@fds-team.de>
Subject: [1/5] ntoskrnl.exe: Defer deallocation of in_buff in dispatch_ioctl.
Message-Id: <f5e44948-bfa5-2b91-bb4b-25215f03c3b9@fds-team.de>
Date: Sun, 16 Oct 2016 08:48:55 +0200

Signed-off-by: Sebastian Lackner <sebastian@fds-team.de>
---

Otherwise the caller might try to reuse the released buffer in case of a failure.

 dlls/ntoskrnl.exe/ntoskrnl.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 428e700..3c18ee6 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -417,6 +417,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
 {
     IRP *irp;
     void *out_buff = NULL;
+    void *to_free = NULL;
     DEVICE_OBJECT *device;
     FILE_OBJECT *file = wine_server_get_ptr( params->ioctl.file );
 
@@ -435,7 +436,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
         if ((params->ioctl.code & 3) == METHOD_BUFFERED)
         {
             memcpy( out_buff, in_buff, in_size );
-            HeapFree( GetProcessHeap(), 0, in_buff );
+            to_free = in_buff;
             in_buff = out_buff;
         }
     }
@@ -455,6 +456,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
     irp->Flags |= IRP_DEALLOCATE_BUFFER;  /* deallocate in_buff */
     dispatch_irp( device, irp, irp_handle );
 
+    HeapFree( GetProcessHeap(), 0, to_free );
     return STATUS_SUCCESS;
 }
 

-- 
2.9.0