16 Feb
2015
16 Feb
'15
3:16 a.m.
Author: jimtabor
Date: Mon Feb 16 03:16:01 2015
New Revision: 66309
URL: http://svn.reactos.org/svn/reactos?rev=66309&view=rev
Log:
[NtUser]
- This fixes use after free linking in the message system. See CORE-9173. Dedicated to
Thomas Faber.
Modified:
trunk/reactos/win32ss/user/ntuser/msgqueue.c
Modified: trunk/reactos/win32ss/user/ntuser/msgqueue.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/msgque…
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/msgqueue.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/msgqueue.c [iso-8859-1] Mon Feb 16 03:16:01 2015
@@ -789,8 +789,7 @@
/* insert it to the list of messages that are currently dispatched by this
message queue */
- InsertTailList(&pti->LocalDispatchingMessagesHead,
- &Message->ListEntry);
+ InsertTailList(&pti->LocalDispatchingMessagesHead,
&Message->ListEntry);
ClearMsgBitsMask(pti, Message->QS_Flags);
@@ -866,7 +865,7 @@
}
/* remove the message from the dispatching list if needed, so lock the sender's
message queue */
- if (Message->ptiSender)
+ if (Message->ptiSender && !(Message->ptiSender->TIF_flags &
TIF_INCLEANUP))
{
if (Message->DispatchingListEntry.Flink != NULL)
{
@@ -953,8 +952,8 @@
ListHead = &pti->SentMessagesListHead;
while (CurrentEntry != ListHead)
{
- SentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
- ListEntry);
+ SentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE, ListEntry);
+
if(SentMessage->Msg.hwnd == Window->head.h)
{
TRACE("Notify the sender and remove a message from the queue that had not
been dispatched\n");
@@ -1187,6 +1186,7 @@
Message->CompletionEvent = NULL;
Message->Result = NULL;
RemoveEntryList(&Message->ListEntry);
+ RemoveEntryList(&Message->DispatchingListEntry);
ClearMsgBitsMask(ptirec, Message->QS_Flags);
ExFreePoolWithTag(Message, TAG_USRMSG);
break;
@@ -1194,30 +1194,8 @@
Entry = Entry->Flink;
}
- /* Remove from the local dispatching list so the other thread knows,
- it can't pass a result and it must not set the completion event anymore
*/
- Entry = pti->DispatchingMessagesHead.Flink;
- while (Entry != &pti->DispatchingMessagesHead)
- {
- if ((PUSER_SENT_MESSAGE) CONTAINING_RECORD(Entry, USER_SENT_MESSAGE,
DispatchingListEntry)
- == Message)
- {
- /* We can access Message here, it's secure because the sender's
message is locked
- and the message has definitely not yet been destroyed, otherwise it
would
- have been removed from this list by the dispatching routine right
after
- dispatching the message */
- Message->CompletionEvent = NULL;
- Message->Result = NULL;
- RemoveEntryList(&Message->DispatchingListEntry);
- Message->DispatchingListEntry.Flink = NULL;
- break;
- }
- Entry = Entry->Flink;
- }
-
TRACE("MsqSendMessage (blocked) timed out 1 Status %p\n",WaitStatus);
-
- }
+ }
// Receiving thread passed on and left us hanging with issues still pending.
if ( WaitStatus == STATUS_WAIT_1 )
{
@@ -1272,29 +1250,9 @@
Message->CompletionEvent = NULL;
Message->Result = NULL;
RemoveEntryList(&Message->ListEntry);
+ RemoveEntryList(&Message->DispatchingListEntry);
ClearMsgBitsMask(ptirec, Message->QS_Flags);
ExFreePoolWithTag(Message, TAG_USRMSG);
- break;
- }
- Entry = Entry->Flink;
- }
-
- /* Remove from the local dispatching list so the other thread knows,
- it can't pass a result and it must not set the completion event
anymore */
- Entry = pti->DispatchingMessagesHead.Flink;
- while (Entry != &pti->DispatchingMessagesHead)
- {
- if ((PUSER_SENT_MESSAGE) CONTAINING_RECORD(Entry, USER_SENT_MESSAGE,
DispatchingListEntry)
- == Message)
- {
- /* We can access Message here, it's secure because the sender's
message is locked
- and the message has definitely not yet been destroyed, otherwise it
would
- have been removed from this list by the dispatching routine right
after
- dispatching the message */
- Message->CompletionEvent = NULL;
- Message->Result = NULL;
- RemoveEntryList(&Message->DispatchingListEntry);
- Message->DispatchingListEntry.Flink = NULL;
break;
}
Entry = Entry->Flink;
@@ -1375,12 +1333,7 @@
MessageQueue = pti->MessageQueue;
- if (dwQEvent)
- {
- ERR("Post Msg; System Qeued Event Message!\n");
- InsertHeadList(&pti->PostedMessagesListHead, &Message->ListEntry);
- }
- else if (!HardwareMessage)
+ if (!HardwareMessage)
{
InsertTailList(&pti->PostedMessagesListHead, &Message->ListEntry);
}
@@ -2122,8 +2075,7 @@
while (!IsListEmpty(&pti->PostedMessagesListHead))
{
CurrentEntry = RemoveHeadList(&pti->PostedMessagesListHead);
- CurrentMessage = CONTAINING_RECORD(CurrentEntry, USER_MESSAGE,
- ListEntry);
+ CurrentMessage = CONTAINING_RECORD(CurrentEntry, USER_MESSAGE, ListEntry);
MsqDestroyMessage(CurrentMessage);
}
@@ -2131,8 +2083,7 @@
while (!IsListEmpty(&pti->SentMessagesListHead))
{
CurrentEntry = RemoveHeadList(&pti->SentMessagesListHead);
- CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
- ListEntry);
+ CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
ListEntry);
TRACE("Notify the sender and remove a message from the queue that had not been
dispatched\n");
/* Only if the message has a sender was the message in the DispatchingList */
@@ -2163,8 +2114,7 @@
while (!IsListEmpty(&pti->LocalDispatchingMessagesHead))
{
CurrentEntry = RemoveHeadList(&pti->LocalDispatchingMessagesHead);
- CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
- ListEntry);
+ CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
ListEntry);
/* remove the message from the dispatching list */
if(CurrentSentMessage->DispatchingListEntry.Flink != NULL)
@@ -2194,8 +2144,7 @@
while (! IsListEmpty(&pti->DispatchingMessagesHead))
{
CurrentEntry = RemoveHeadList(&pti->DispatchingMessagesHead);
- CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
- DispatchingListEntry);
+ CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE,
DispatchingListEntry);
CurrentSentMessage->CompletionEvent = NULL;
CurrentSentMessage->Result = NULL;