6a0cea6b
by Yuxuan Shui at 2025-06-09T23:03:02+02:00
iphlpapi: Fix use-after-free of apc context.
In IcmpSendEcho2Ex, if STATUS_PENDING is returned from NtDeviceIoControlFile,
there are two cases. If no event handle or apc rountine were given, we wait for
the request to completion before returning, thus freeing the apc context is fine
in this case. But if an event handle _is_ given, we will return STATUS_PENDING,
and the request will still be in flight at this point, and we cannot free the
apc context.
However, the condition for freeing the context only checks for apc_routine, and
not event, resulting in use-after-free if an apc_routine is not given but an
event is.