[cgutman] 57032: [NDIS] - Fix driver object dispatch table corruption in NdisMRegisterDevice See issue #7191 for more details. - Ros-diffs

3 Aug 2012

Author: cgutman
Date: Fri Aug  3 08:23:02 2012
New Revision: 57032

URL: http://svn.reactos.org/svn/reactos?rev=57032&view=rev
Log:
[NDIS]
- Fix driver object dispatch table corruption in NdisMRegisterDevice
See issue #7191 for more details.

Modified:
    trunk/reactos/drivers/network/ndis/include/miniport.h
    trunk/reactos/drivers/network/ndis/ndis/miniport.c

Modified: trunk/reactos/drivers/network/ndis/include/miniport.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/inclu…
==============================================================================

--- trunk/reactos/drivers/network/ndis/include/miniport.h [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/ndis/include/miniport.h [iso-8859-1] Fri Aug  3 08:23:02
2012
@@ -37,6 +37,7 @@
 typedef struct _NDIS_M_DEVICE_BLOCK {
     PDEVICE_OBJECT DeviceObject;
     PNDIS_STRING   SymbolicName;
+    PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1];
 } NDIS_M_DEVICE_BLOCK, *PNDIS_M_DEVICE_BLOCK;
 
 /* resources allocated on behalf on the miniport */

Modified: trunk/reactos/drivers/network/ndis/ndis/miniport.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/ndis/ndis/…
==============================================================================
--- trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/ndis/ndis/miniport.c [iso-8859-1] Fri Aug  3 08:23:02
2012
@@ -2503,7 +2503,59 @@
   return STATUS_SUCCESS;
 }
 
-
+NTSTATUS
+NTAPI
+NdisGenericIrpHandler(
+    IN PDEVICE_OBJECT DeviceObject,
+    IN PIRP Irp)
+{
+    PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp);
+
+    /* Use the characteristics to classify the device */
+    if (DeviceObject->DeviceType == FILE_DEVICE_PHYSICAL_NETCARD)
+    {
+        if ((IrpSp->MajorFunction == IRP_MJ_CREATE) ||
+            (IrpSp->MajorFunction == IRP_MJ_CLOSE))
+        {
+            return NdisICreateClose(DeviceObject, Irp);
+        }
+        else if (IrpSp->MajorFunction == IRP_MJ_PNP)
+        {
+            return NdisIDispatchPnp(DeviceObject, Irp);
+        }
+        else if (IrpSp->MajorFunction == IRP_MJ_SHUTDOWN)
+        {
+            return NdisIShutdown(DeviceObject, Irp);
+        }
+        else if (IrpSp->MajorFunction == IRP_MJ_DEVICE_CONTROL)
+        {
+            return NdisIDeviceIoControl(DeviceObject, Irp);
+        }
+    }
+    else if (DeviceObject->DeviceType == FILE_DEVICE_NETWORK)
+    {
+        PNDIS_M_DEVICE_BLOCK DeviceBlock = DeviceObject->DeviceExtension;
+
+        ASSERT(DeviceBlock->DeviceObject == DeviceObject);
+
+        if (DeviceBlock->MajorFunction[IrpSp->MajorFunction] != NULL)
+        {
+            return DeviceBlock->MajorFunction[IrpSp->MajorFunction](DeviceObject,
Irp);
+        }
+    }
+    else
+    {
+        ASSERT(FALSE);
+    }
+
+    Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
+    Irp->IoStatus.Information = 0;
+
+    IoCompleteRequest(Irp, IO_NO_INCREMENT);
+
+    return STATUS_INVALID_DEVICE_REQUEST;
+}
+
 /*
  * @implemented
  */
@@ -2527,6 +2579,7 @@
   PNDIS_M_DRIVER_BLOCK Miniport = GET_MINIPORT_DRIVER(NdisWrapperHandle);
   PNDIS_M_DRIVER_BLOCK *MiniportPtr;
   NTSTATUS Status;
+  ULONG i;
 
   NDIS_DbgPrint(MAX_TRACE, ("Called.\n"));
 
@@ -2649,11 +2702,12 @@
 
   *MiniportPtr = Miniport;
 
-  Miniport->DriverObject->MajorFunction[IRP_MJ_CREATE] = NdisICreateClose;
-  Miniport->DriverObject->MajorFunction[IRP_MJ_CLOSE] = NdisICreateClose;
-  Miniport->DriverObject->MajorFunction[IRP_MJ_PNP] = NdisIDispatchPnp;
-  Miniport->DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = NdisIShutdown;
-  Miniport->DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
NdisIDeviceIoControl;
+  /* We have to register for all of these so handler registered in NdisMRegisterDevice
work */
+  for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
+  {
+       Miniport->DriverObject->MajorFunction[i] = NdisGenericIrpHandler;
+  }
+
   Miniport->DriverObject->DriverExtension->AddDevice = NdisIAddDevice;
 
   return NDIS_STATUS_SUCCESS;
@@ -3076,7 +3130,7 @@
     NDIS_DbgPrint(MAX_TRACE, ("Called\n"));
 
     Status = IoCreateDevice(DriverBlock->DriverObject,
-                            0, /* This space is reserved for us. Should we use it? */
+                            sizeof(NDIS_M_DEVICE_BLOCK),
                             DeviceName,
                             FILE_DEVICE_NETWORK,
                             0,
@@ -3098,7 +3152,7 @@
         return Status;
     }
 
-    DeviceBlock = ExAllocatePool(NonPagedPool, sizeof(NDIS_M_DEVICE_BLOCK));
+    DeviceBlock = DeviceObject->DeviceExtension;
 
     if (!DeviceBlock)
     {
@@ -3109,15 +3163,7 @@
     }
 
     for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
-         DriverBlock->DriverObject->MajorFunction[i] = MajorFunctions[i];
-
-    DriverBlock->DriverObject->MajorFunction[IRP_MJ_PNP] = NdisIDispatchPnp;
-
-    if (!DriverBlock->DriverObject->MajorFunction[IRP_MJ_CREATE])
-        DriverBlock->DriverObject->MajorFunction[IRP_MJ_CREATE] =
NdisICreateClose;
-
-    if (!DriverBlock->DriverObject->MajorFunction[IRP_MJ_CLOSE])
-        DriverBlock->DriverObject->MajorFunction[IRP_MJ_CLOSE] = NdisICreateClose;
+         DeviceBlock->MajorFunction[i] = MajorFunctions[i];
 
     DeviceBlock->DeviceObject = DeviceObject;
     DeviceBlock->SymbolicName = SymbolicName;
@@ -3147,8 +3193,6 @@
     IoDeleteDevice(DeviceBlock->DeviceObject);
 
     IoDeleteSymbolicLink(DeviceBlock->SymbolicName);
-
-    ExFreePool(DeviceBlock);
 
     return NDIS_STATUS_SUCCESS;
 }



    