From 824c5e07c05c27cd9f460702558183c9ceba9a21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Mon, 7 Nov 2016 12:35:09 +0000
Subject: [PATCH] [NTOS:LPC] - Capture the ServerView/ClientView *only* when
 those pointers are not NULL. - Fix a LpcRequest vs. CapturedLpcRequest in a
 call to LpcpMoveMessage. Caught by Thomas. CORE-7371 CR-100

svn path=/trunk/; revision=73166
---
 reactos/ntoskrnl/lpc/complete.c | 33 ++++++++++++++++++++++-----------
 reactos/ntoskrnl/lpc/connect.c  |  8 ++++----
 reactos/ntoskrnl/lpc/send.c     |  2 +-
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/reactos/ntoskrnl/lpc/complete.c b/reactos/ntoskrnl/lpc/complete.c
index 23472ac6d8e..30eb70069ee 100644
--- a/reactos/ntoskrnl/lpc/complete.c
+++ b/reactos/ntoskrnl/lpc/complete.c
@@ -84,7 +84,9 @@ NtAcceptConnectPort(OUT PHANDLE PortHandle,
             ProbeForRead(ReplyMessage + 1, ConnectionInfoLength, 1);
 
             /* The following parameters are optional */
-            if (ServerView != NULL)
+
+            /* Capture the server view */
+            if (ServerView)
             {
                 ProbeForWrite(ServerView, sizeof(*ServerView), sizeof(ULONG));
                 CapturedServerView = *(volatile PORT_VIEW*)ServerView;
@@ -97,7 +99,8 @@ NtAcceptConnectPort(OUT PHANDLE PortHandle,
                 }
             }
 
-            if (ClientView != NULL)
+            /* Capture the client view */
+            if (ClientView)
             {
                 ProbeForWrite(ClientView, sizeof(*ClientView), sizeof(ULONG));
 
@@ -121,19 +124,27 @@ NtAcceptConnectPort(OUT PHANDLE PortHandle,
         CapturedReplyMessage = *ReplyMessage;
         ConnectionInfoLength = CapturedReplyMessage.u1.s1.DataLength;
 
-        /* Validate the size of the server view */
-        if ((ServerView) && (ServerView->Length != sizeof(*ServerView)))
+        /* Capture the server view */
+        if (ServerView)
         {
-            /* Invalid size */
-            return STATUS_INVALID_PARAMETER;
+            /* Validate the size of the server view */
+            if (ServerView->Length != sizeof(*ServerView))
+            {
+                /* Invalid size */
+                return STATUS_INVALID_PARAMETER;
+            }
+            CapturedServerView = *ServerView;
         }
-        CapturedServerView = *ServerView;
 
-        /* Validate the size of the client view */
-        if ((ClientView) && (ClientView->Length != sizeof(*ClientView)))
+        /* Capture the client view */
+        if (ClientView)
         {
-            /* Invalid size */
-            return STATUS_INVALID_PARAMETER;
+            /* Validate the size of the client view */
+            if (ClientView->Length != sizeof(*ClientView))
+            {
+                /* Invalid size */
+                return STATUS_INVALID_PARAMETER;
+            }
         }
     }
 
diff --git a/reactos/ntoskrnl/lpc/connect.c b/reactos/ntoskrnl/lpc/connect.c
index 9e99538c256..a45468b3437 100644
--- a/reactos/ntoskrnl/lpc/connect.c
+++ b/reactos/ntoskrnl/lpc/connect.c
@@ -130,7 +130,7 @@ NtSecureConnectPort(OUT PHANDLE PortHandle,
             /* The following parameters are optional */
 
             /* Capture the client view */
-            if (ClientView != NULL)
+            if (ClientView)
             {
                 ProbeForWrite(ClientView, sizeof(*ClientView), sizeof(ULONG));
                 CapturedClientView = *(volatile PORT_VIEW*)ClientView;
@@ -145,7 +145,7 @@ NtSecureConnectPort(OUT PHANDLE PortHandle,
             }
 
             /* Capture the server view */
-            if (ServerView != NULL)
+            if (ServerView)
             {
                 ProbeForWrite(ServerView, sizeof(*ServerView), sizeof(ULONG));
 
@@ -202,7 +202,7 @@ NtSecureConnectPort(OUT PHANDLE PortHandle,
         /* The following parameters are optional */
 
         /* Capture the client view */
-        if (ClientView != NULL)
+        if (ClientView)
         {
             /* Validate the size of the client view */
             if (ClientView->Length != sizeof(*ClientView))
@@ -214,7 +214,7 @@ NtSecureConnectPort(OUT PHANDLE PortHandle,
         }
 
         /* Capture the server view */
-        if (ServerView != NULL)
+        if (ServerView)
         {
             /* Validate the size of the server view */
             if (ServerView->Length != sizeof(*ServerView))
diff --git a/reactos/ntoskrnl/lpc/send.c b/reactos/ntoskrnl/lpc/send.c
index 74589b99a98..d6b22063014 100644
--- a/reactos/ntoskrnl/lpc/send.c
+++ b/reactos/ntoskrnl/lpc/send.c
@@ -857,7 +857,7 @@ NtRequestWaitReplyPort(IN HANDLE PortHandle,
 
             /* Copy it */
             LpcpMoveMessage(&Message->Request,
-                            LpcRequest,
+                            &CapturedLpcRequest,
                             LpcRequest + 1,
                             MessageType,
                             &Thread->Cid);