From 4e466b6892a0d3b45759ebbde3e2e7958d5ecc17 Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Fri, 27 Mar 2009 22:32:28 +0000
Subject: [PATCH]  - Fix some issues with LockBuffers  - We must lock buffers
 before using them

svn path=/trunk/; revision=40262
---
 reactos/drivers/network/afd/afd/lock.c  | 19 ++++++++-----------
 reactos/drivers/network/afd/afd/write.c |  9 +++++++++
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/reactos/drivers/network/afd/afd/lock.c b/reactos/drivers/network/afd/afd/lock.c
index 724d36e1ced..e02cbe3627f 100644
--- a/reactos/drivers/network/afd/afd/lock.c
+++ b/reactos/drivers/network/afd/afd/lock.c
@@ -72,7 +72,6 @@ PAFD_WSABUF LockBuffers( PAFD_WSABUF Buf, UINT Count,
     UINT Lock = (LockAddress && AddressLen) ? 2 : 0;
     UINT Size = sizeof(AFD_WSABUF) * (Count + Lock);
     PAFD_WSABUF NewBuf = ExAllocatePool( PagedPool, Size * 2 );
-    PMDL NewMdl;
     BOOLEAN LockFailed = FALSE;
 
     AFD_DbgPrint(MID_TRACE,("Called(%08x)\n", NewBuf));
@@ -82,7 +81,7 @@ PAFD_WSABUF LockBuffers( PAFD_WSABUF Buf, UINT Count,
 
         _SEH2_TRY {
             RtlCopyMemory( NewBuf, Buf, sizeof(AFD_WSABUF) * Count );
-            if( LockAddress ) {
+            if( Lock != 0 ) {
                 NewBuf[Count].buf = AddressBuf;
                 NewBuf[Count].len = *AddressLen;
                 Count++;
@@ -102,20 +101,18 @@ PAFD_WSABUF LockBuffers( PAFD_WSABUF Buf, UINT Count,
 	    AFD_DbgPrint(MID_TRACE,("Locking buffer %d (%x:%d)\n",
 				    i, NewBuf[i].buf, NewBuf[i].len));
 
-	    if( NewBuf[i].len ) {
-		NewMdl = IoAllocateMdl( NewBuf[i].buf,
-					NewBuf[i].len,
-					FALSE,
-					FALSE,
-					NULL );
+	    if( NewBuf[i].buf && NewBuf[i].len ) {
+		MapBuf[i].Mdl = IoAllocateMdl( NewBuf[i].buf,
+					       NewBuf[i].len,
+					       FALSE,
+					       FALSE,
+					       NULL );
 	    } else {
 		MapBuf[i].Mdl = NULL;
 		continue;
 	    }
 
-	    AFD_DbgPrint(MID_TRACE,("NewMdl @ %x\n", NewMdl));
-
-	    MapBuf[i].Mdl = NewMdl;
+	    AFD_DbgPrint(MID_TRACE,("NewMdl @ %x\n", MapBuf[i].Mdl));
 
 	    if( MapBuf[i].Mdl ) {
 		AFD_DbgPrint(MID_TRACE,("Probe and lock pages\n"));
diff --git a/reactos/drivers/network/afd/afd/write.c b/reactos/drivers/network/afd/afd/write.c
index a4461387dd6..42f8a255430 100644
--- a/reactos/drivers/network/afd/afd/write.c
+++ b/reactos/drivers/network/afd/afd/write.c
@@ -391,6 +391,15 @@ AfdPacketSocketWriteData(PDEVICE_OBJECT DeviceObject, PIRP Irp,
 	return UnlockAndMaybeComplete
 	    ( FCB, STATUS_NO_MEMORY, Irp, 0, NULL );
 
+    SendReq->BufferArray = LockBuffers( SendReq->BufferArray,
+                                        SendReq->BufferCount,
+                                        NULL, NULL,
+                                        FALSE, FALSE );
+
+    if( !SendReq->BufferArray )
+	return UnlockAndMaybeComplete( FCB, STATUS_ACCESS_VIOLATION,
+                                       Irp, 0, NULL );
+
     AFD_DbgPrint
 	(MID_TRACE,("RemoteAddress #%d Type %d\n",
 		    ((PTRANSPORT_ADDRESS)SendReq->RemoteAddress)->