Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Fix logic bugs in LpcRequestPort (which is not the same as NtRequestPort as someone incorrectly assumed previously) and also reference/dereference the process who owns the server mapping.

Browse source 
svn path=/trunk/; revision=33128
This commit is contained in:
Aleksey Bragin 2008-04-23 16:40:08 +00:00
parent 983f990ed9
commit c72bfe8de2
3 changed files with 51 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
reactos/ntoskrnl/lpc/close.c
View file

@ -374,7 +374,7 @@ LpcpDeletePort(IN PVOID ObjectBody)
}
/* Dereference the mapping process */
//ObDereferenceObject(Port->MappingProcess);
ObDereferenceObject(Port->MappingProcess);
Port->MappingProcess = NULL;
}

2
reactos/ntoskrnl/lpc/connect.c
View file

@ -299,7 +299,7 @@ NtSecureConnectPort(OUT PHANDLE PortHandle,
/* Reference and remember the process */
ClientPort->MappingProcess = PsGetCurrentProcess();
//ObReferenceObject(ClientPort->MappingProcess);
ObReferenceObject(ClientPort->MappingProcess);
}
else
{

82
reactos/ntoskrnl/lpc/send.c
View file

@ -198,28 +198,41 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
if (Thread->LpcExitThreadCalled) return STATUS_THREAD_IS_TERMINATING;
/* Check if this is an LPC Request */
if (LpcpGetMessageType(LpcRequest) == LPC_REQUEST)
MessageType = LpcpGetMessageType(LpcRequest);
switch (MessageType)
{
/* Then it's a callback */
Callback = TRUE;
}
else
{
/* This is a kernel-mode message without a callback */
LpcRequest->u2.s2.Type |= LPC_REQUEST;
Callback = FALSE;
}
/* Get the message type */
MessageType = LpcRequest->u2.s2.Type;
/* Validate the length */
if (((ULONG)LpcRequest->u1.s1.DataLength + sizeof(PORT_MESSAGE)) >
(ULONG)LpcRequest->u1.s1.TotalLength)
{
/* Fail */
return STATUS_INVALID_PARAMETER;
/* No type */
case 0:
/* Assume LPC request */
MessageType = LPC_REQUEST;
break;
/* LPC request callback */
case LPC_REQUEST:
/* This is a callback */
Callback = TRUE;
break;
/* Anything else */
case LPC_CLIENT_DIED:
case LPC_PORT_CLOSED:
case LPC_EXCEPTION:
case LPC_DEBUG_EVENT:
case LPC_ERROR_EVENT:
/* Nothing to do */
break;
default:
/* Invalid message type */
return STATUS_INVALID_PARAMETER;
}
/* Set the request type */
LpcRequest->u2.s2.Type = MessageType;
/* Validate the message length */
if (((ULONG)LpcRequest->u1.s1.TotalLength > Port->MaxMessageLength) ||
@ -250,7 +263,7 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
LpcpMoveMessage(&Message->Request,
LpcRequest,
LpcRequest + 1,
MessageType,
0,
&Thread->Cid);
/* Acquire the LPC lock */
@ -383,19 +396,21 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
(&Message->Request) + 1,
0,
NULL);
/* Acquire the lock */
KeAcquireGuardedMutex(&LpcpLock);
/* Check if we replied to a thread */
if (Message->RepliedToThread)
{
/* Dereference */
ObDereferenceObject(Message->RepliedToThread);
Message->RepliedToThread = NULL;
}
/* Check if this is an LPC request with data information */
if ((LpcpGetMessageType(&Message->Request) == LPC_REQUEST) &&
(Message->Request.u2.s2.DataInfoOffset))
{
/* Save the data information */
LpcpSaveDataInfoMessage(Port, Message, 0);
}
else
{
/* Otherwise, just free it */
LpcpFreeToPortZone(Message, 0);
}
/* Free the message */
LpcpFreeToPortZone(Message, 3);
}
else
{
@ -415,6 +430,7 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
Port,
Status);
/* Dereference the connection port */
if (ConnectionPort) ObDereferenceObject(ConnectionPort);
return Status;
}