From f562f9c5c629cba3f370f078d12c2f13a997c8f2 Mon Sep 17 00:00:00 2001
From: Victor Perevertkin <victor.perevertkin@reactos.org>
Date: Mon, 7 Sep 2020 04:57:17 +0300
Subject: [PATCH] [NTOS:IO] Fix IRP stack location check in
 IoForwardIrpSynchronously We are doing IoCallDriver here, so the valid stack
 location should be CurrentLocation <= Irp->StackCount (just a check for a
 completly incorrect value) && CurrentLocation > 1 (ensure that we have a
 place for another call)

CORE-17189

Co-authored-by: Thomas Faber <thomas.faber@reactos.org>
---
 ntoskrnl/io/iomgr/irp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ntoskrnl/io/iomgr/irp.c b/ntoskrnl/io/iomgr/irp.c
index 1b19d49e9a4..2de843975e0 100644
--- a/ntoskrnl/io/iomgr/irp.c
+++ b/ntoskrnl/io/iomgr/irp.c
@@ -1629,7 +1629,7 @@ IoForwardIrpSynchronously(IN PDEVICE_OBJECT DeviceObject,
     NTSTATUS Status;
 
     /* Check if next stack location is available */
-    if (Irp->CurrentLocation < Irp->StackCount)
+    if (Irp->CurrentLocation > Irp->StackCount || Irp->CurrentLocation <= 1)
     {
         /* No more stack location */
         return FALSE;