[ros-diffs] [fireball] 33128: - Fix logic bugs in LpcRequestPort (which is not the same as NtRequestPort as someone incorrectly assumed previously) and also reference/dereference the process who owns the server mapping.

fireball at svn.reactos.org fireball at svn.reactos.org
Wed Apr 23 18:40:09 CEST 2008


Author: fireball
Date: Wed Apr 23 11:40:08 2008
New Revision: 33128

URL: http://svn.reactos.org/svn/reactos?rev=33128&view=rev
Log:
- Fix logic bugs in LpcRequestPort (which is not the same as NtRequestPort as someone incorrectly assumed previously) and also reference/dereference the process who owns the server mapping.

Modified:
    trunk/reactos/ntoskrnl/lpc/close.c
    trunk/reactos/ntoskrnl/lpc/connect.c
    trunk/reactos/ntoskrnl/lpc/send.c

Modified: trunk/reactos/ntoskrnl/lpc/close.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/lpc/close.c?rev=33128&r1=33127&r2=33128&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/lpc/close.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/lpc/close.c [iso-8859-1] Wed Apr 23 11:40:08 2008
@@ -374,7 +374,7 @@
         }
 
         /* Dereference the mapping process */
-        //ObDereferenceObject(Port->MappingProcess);
+        ObDereferenceObject(Port->MappingProcess);
         Port->MappingProcess = NULL;
     }
 

Modified: trunk/reactos/ntoskrnl/lpc/connect.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/lpc/connect.c?rev=33128&r1=33127&r2=33128&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/lpc/connect.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/lpc/connect.c [iso-8859-1] Wed Apr 23 11:40:08 2008
@@ -299,7 +299,7 @@
 
         /* Reference and remember the process */
         ClientPort->MappingProcess = PsGetCurrentProcess();
-        //ObReferenceObject(ClientPort->MappingProcess);
+        ObReferenceObject(ClientPort->MappingProcess);
     }
     else
     {

Modified: trunk/reactos/ntoskrnl/lpc/send.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/lpc/send.c?rev=33128&r1=33127&r2=33128&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/lpc/send.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/lpc/send.c [iso-8859-1] Wed Apr 23 11:40:08 2008
@@ -198,28 +198,41 @@
     if (Thread->LpcExitThreadCalled) return STATUS_THREAD_IS_TERMINATING;
 
     /* Check if this is an LPC Request */
-    if (LpcpGetMessageType(LpcRequest) == LPC_REQUEST)
-    {
-        /* Then it's a callback */
-        Callback = TRUE;
-    }
-    else
-    {
-        /* This is a kernel-mode message without a callback */
-        LpcRequest->u2.s2.Type |= LPC_REQUEST;
-        Callback = FALSE;
-    }
-
-    /* Get the message type */
-    MessageType = LpcRequest->u2.s2.Type;
-
-    /* Validate the length */
-    if (((ULONG)LpcRequest->u1.s1.DataLength + sizeof(PORT_MESSAGE)) >
-         (ULONG)LpcRequest->u1.s1.TotalLength)
-    {
-        /* Fail */
-        return STATUS_INVALID_PARAMETER;
-    }
+    MessageType = LpcpGetMessageType(LpcRequest);
+    switch (MessageType)
+    {
+        /* No type */
+        case 0:
+            
+            /* Assume LPC request */
+            MessageType = LPC_REQUEST;
+            break;
+        
+        /* LPC request callback */
+        case LPC_REQUEST:
+            
+            /* This is a callback */
+            Callback = TRUE;
+            break;
+        
+        /* Anything else */
+        case LPC_CLIENT_DIED:
+        case LPC_PORT_CLOSED:
+        case LPC_EXCEPTION:
+        case LPC_DEBUG_EVENT:
+        case LPC_ERROR_EVENT:
+            
+            /* Nothing to do */
+            break;
+            
+        default:
+            
+            /* Invalid message type */
+            return STATUS_INVALID_PARAMETER;
+    }
+    
+    /* Set the request type */
+    LpcRequest->u2.s2.Type = MessageType;
 
     /* Validate the message length */
     if (((ULONG)LpcRequest->u1.s1.TotalLength > Port->MaxMessageLength) ||
@@ -250,7 +263,7 @@
         LpcpMoveMessage(&Message->Request,
                         LpcRequest,
                         LpcRequest + 1,
-                        MessageType,
+                        0,
                         &Thread->Cid);
 
         /* Acquire the LPC lock */
@@ -383,19 +396,21 @@
                             (&Message->Request) + 1,
                             0,
                             NULL);
-
-            /* Check if this is an LPC request with data information */
-            if ((LpcpGetMessageType(&Message->Request) == LPC_REQUEST) &&
-                (Message->Request.u2.s2.DataInfoOffset))
-            {
-                /* Save the data information */
-                LpcpSaveDataInfoMessage(Port, Message, 0);
-            }
-            else
-            {
-                /* Otherwise, just free it */
-                LpcpFreeToPortZone(Message, 0);
-            }
+            
+            /* Acquire the lock */
+            KeAcquireGuardedMutex(&LpcpLock);
+            
+            /* Check if we replied to a thread */
+            if (Message->RepliedToThread)
+            {
+                /* Dereference */
+                ObDereferenceObject(Message->RepliedToThread);
+                Message->RepliedToThread = NULL;
+            }
+
+
+            /* Free the message */
+            LpcpFreeToPortZone(Message, 3);
         }
         else
         {
@@ -415,6 +430,7 @@
              Port,
              Status);
 
+    /* Dereference the connection port */
     if (ConnectionPort) ObDereferenceObject(ConnectionPort);
     return Status;
 }



More information about the Ros-diffs mailing list