Daniel Lehman : ntoskrnl.exe: Fix use-after-free when freeing IRP.

Fri Oct 8 14:12:26 CDT 2021

Module: wine
Branch: master
Commit: de0e9ad9654f7ba568e2b7f81727bdfcc7327d23
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=de0e9ad9654f7ba568e2b7f81727bdfcc7327d23

Author: Daniel Lehman <dlehman at esri.com>
Date:   Thu Oct  7 10:02:33 2021 -0700

ntoskrnl.exe: Fix use-after-free when freeing IRP.

Signed-off-by: Daniel Lehman <dlehman at esri.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/ntoskrnl.exe/ntoskrnl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index f2fb0a6d66e..ec297e7d64a 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -1011,8 +1011,9 @@ NTSTATUS CDECL wine_ntoskrnl_main_loop( HANDLE stop_event )
         {
             if (context.irp_data->complete)
             {
-                IoCompleteRequest( context.irp_data->irp, IO_NO_INCREMENT );
+                IRP *irp = context.irp_data->irp;
                 free_dispatch_irp( context.irp_data );
+                IoCompleteRequest( irp, IO_NO_INCREMENT );
             }
             else
             {


