From 18c4b99d0811b324f9321ec160995d626b792df2 Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Mon, 27 Aug 2012 03:42:28 +0000
Subject: [PATCH] [AFD] - Only access stack parameters when we're sure that the
 major function is correct

svn path=/trunk/; revision=57173
---
 reactos/drivers/network/afd/afd/main.c | 31 +++++++++++++++++++-------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/reactos/drivers/network/afd/afd/main.c b/reactos/drivers/network/afd/afd/main.c
index bec9b968ca7..fcbf9180df3 100644
--- a/reactos/drivers/network/afd/afd/main.c
+++ b/reactos/drivers/network/afd/afd/main.c
@@ -1046,23 +1046,38 @@ CleanupPendingIrp(PAFD_FCB FCB, PIRP Irp, PIO_STACK_LOCATION IrpSp, PAFD_ACTIVE_
     PAFD_SEND_INFO SendReq;
     PAFD_POLL_INFO PollReq;
 
-    if (IrpSp->Parameters.DeviceIoControl.IoControlCode == IOCTL_AFD_RECV ||
-        IrpSp->MajorFunction == IRP_MJ_READ)
+    if (IrpSp->MajorFunction == IRP_MJ_READ)
     {
         RecvReq = GetLockedData(Irp, IrpSp);
         UnlockBuffers(RecvReq->BufferArray, RecvReq->BufferCount, CheckUnlockExtraBuffers(FCB, IrpSp));
     }
-    else if (IrpSp->Parameters.DeviceIoControl.IoControlCode == IOCTL_AFD_SEND ||
-             IrpSp->MajorFunction == IRP_MJ_WRITE)
+    else if (IrpSp->MajorFunction == IRP_MJ_WRITE)
     {
         SendReq = GetLockedData(Irp, IrpSp);
         UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, CheckUnlockExtraBuffers(FCB, IrpSp));
     }
-    else if (IrpSp->Parameters.DeviceIoControl.IoControlCode == IOCTL_AFD_SELECT)
+    else
     {
-        PollReq = Irp->AssociatedIrp.SystemBuffer;
-        ZeroEvents(PollReq->Handles, PollReq->HandleCount);
-        SignalSocket(Poll, NULL, PollReq, STATUS_CANCELLED);
+        ASSERT(IrpSp->MajorFunction == IRP_MJ_DEVICE_CONTROL);
+
+        if (IrpSp->Parameters.DeviceIoControl.IoControlCode == IOCTL_AFD_RECV)
+        {
+            RecvReq = GetLockedData(Irp, IrpSp);
+            UnlockBuffers(RecvReq->BufferArray, RecvReq->BufferCount, CheckUnlockExtraBuffers(FCB, IrpSp));
+        }
+        else if (IrpSp->Parameters.DeviceIoControl.IoControlCode == IOCTL_AFD_SEND)
+        {
+            SendReq = GetLockedData(Irp, IrpSp);
+            UnlockBuffers(SendReq->BufferArray, SendReq->BufferCount, CheckUnlockExtraBuffers(FCB, IrpSp));
+        }
+        else if (IrpSp->Parameters.DeviceIoControl.IoControlCode == IOCTL_AFD_SELECT)
+        {
+            ASSERT(Poll);
+
+            PollReq = Irp->AssociatedIrp.SystemBuffer;
+            ZeroEvents(PollReq->Handles, PollReq->HandleCount);
+            SignalSocket(Poll, NULL, PollReq, STATUS_CANCELLED);
+        }
     }
 }