[tfaber] 64838: [AFD] - Do not pass IO_STATUS_BLOCKs when creating IRPs for asynchronous use. Fixes a use-after-free where AfdCloseSocket would cancel IRPs without actually waiting for their comple...
19 Oct
2014
19 Oct
'14
10:12 p.m.
Author: tfaber
Date: Sun Oct 19 22:12:06 2014
New Revision: 64838
URL: http://svn.reactos.org/svn/reactos?rev=64838&view=rev
Log:
[AFD]
- Do not pass IO_STATUS_BLOCKs when creating IRPs for asynchronous use. Fixes a
use-after-free where AfdCloseSocket would cancel IRPs without actually waiting for their
completion, and proceed to free the FCB, which contained these IO_STATUS_BLOCKs.
Note that using TdiBuildInternalDeviceControlIrp for these requests is broken in the first
place, since it is intended for synchronous requests and requires a guarantee about the
calling thread's lifetime. These functions (and their completion routines) should use
IoAllocateIrp/IoReuseIrp/IoFreeIrp instead. However this can be fixed later; the
incredibly annoying nonpaged pool corruption due to this that has been around for 10 years
should be fixed with this commit.
CORE-8640 #resolve
Modified:
trunk/reactos/drivers/network/afd/afd/bind.c
trunk/reactos/drivers/network/afd/afd/connect.c
trunk/reactos/drivers/network/afd/afd/listen.c
trunk/reactos/drivers/network/afd/afd/main.c
trunk/reactos/drivers/network/afd/afd/read.c
trunk/reactos/drivers/network/afd/afd/tdi.c
trunk/reactos/drivers/network/afd/afd/write.c
trunk/reactos/drivers/network/afd/include/afd.h
trunk/reactos/drivers/network/afd/include/tdi_proto.h
Modified: trunk/reactos/drivers/network/afd/afd/bind.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/bi…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/bind.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/bind.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -56,7 +56,6 @@
FCB->Recv.Window,
FCB->Recv.Size,
FCB->AddressFrom,
- &FCB->ReceiveIrp.Iosb,
PacketSocketRecvComplete,
FCB);
Modified: trunk/reactos/drivers/network/afd/afd/connect.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/co…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/connect.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/connect.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -286,7 +286,6 @@
TDI_RECEIVE_NORMAL,
FCB->Recv.Window,
FCB->Recv.Size,
- &FCB->ReceiveIrp.Iosb,
ReceiveComplete,
FCB );
@@ -518,7 +517,6 @@
FCB->Connection.Object,
FCB->ConnectCallInfo,
FCB->ConnectReturnInfo,
- &FCB->ConnectIrp.Iosb,
StreamSocketConnectComplete,
FCB );
}
Modified: trunk/reactos/drivers/network/afd/afd/listen.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/li…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/listen.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -191,7 +191,6 @@
FCB->Connection.Object,
&FCB->ListenIrp.ConnectionCallInfo,
&FCB->ListenIrp.ConnectionReturnInfo,
- &FCB->ListenIrp.Iosb,
ListenComplete,
FCB );
@@ -268,7 +267,6 @@
FCB->Connection.Object,
&FCB->ListenIrp.ConnectionCallInfo,
&FCB->ListenIrp.ConnectionReturnInfo,
- &FCB->ListenIrp.Iosb,
ListenComplete,
FCB );
Modified: trunk/reactos/drivers/network/afd/afd/main.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/ma…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/main.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -662,7 +662,6 @@
FCB->Connection.Object,
&FCB->DisconnectTimeout,
FCB->DisconnectFlags,
- &FCB->DisconnectIrp.Iosb,
DisconnectComplete,
FCB,
FCB->ConnectCallInfo,
Modified: trunk/reactos/drivers/network/afd/afd/read.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/re…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/read.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/read.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -46,7 +46,6 @@
TDI_RECEIVE_NORMAL,
FCB->Recv.Window + FCB->Recv.Content,
FCB->Recv.Size - FCB->Recv.Content,
- &FCB->ReceiveIrp.Iosb,
ReceiveComplete,
FCB );
}
@@ -691,7 +690,6 @@
FCB->Recv.Window,
FCB->Recv.Size,
FCB->AddressFrom,
- &FCB->ReceiveIrp.Iosb,
PacketSocketRecvComplete,
FCB );
}
Modified: trunk/reactos/drivers/network/afd/afd/tdi.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/td…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/tdi.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/tdi.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -329,7 +329,6 @@
PFILE_OBJECT ConnectionObject,
PTDI_CONNECTION_INFORMATION ConnectionCallInfo,
PTDI_CONNECTION_INFORMATION ConnectionReturnInfo,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext)
/*
@@ -362,7 +361,7 @@
DeviceObject, /* Device object */
ConnectionObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (!*Irp) {
return STATUS_INSUFFICIENT_RESOURCES;
}
@@ -376,7 +375,7 @@
ConnectionCallInfo, /* Request connection information */
ConnectionReturnInfo); /* Return connection information */
- TdiCall(*Irp, DeviceObject, NULL, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL, NULL);
return STATUS_PENDING;
}
@@ -485,7 +484,6 @@
PFILE_OBJECT ConnectionObject,
PTDI_CONNECTION_INFORMATION *RequestConnectionInfo,
PTDI_CONNECTION_INFORMATION *ReturnConnectionInfo,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext)
/*
@@ -519,7 +517,7 @@
DeviceObject, /* Device object */
ConnectionObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (*Irp == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
@@ -532,7 +530,7 @@
*RequestConnectionInfo, /* Request connection information */
*ReturnConnectionInfo); /* Return connection information */
- TdiCall(*Irp, DeviceObject, NULL /* Don't wait for completion */, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL /* Don't wait for completion */, NULL);
return STATUS_PENDING;
}
@@ -892,7 +890,6 @@
USHORT Flags,
PCHAR Buffer,
UINT BufferLength,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext)
{
@@ -916,7 +913,7 @@
DeviceObject, /* Device object */
TransportObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (!*Irp) {
AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -958,7 +955,7 @@
Flags, /* Flags */
BufferLength); /* Length of data */
- TdiCall(*Irp, DeviceObject, NULL, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL, NULL);
/* Does not block... The MDL is deleted in the receive completion
routine. */
@@ -971,7 +968,6 @@
USHORT Flags,
PCHAR Buffer,
UINT BufferLength,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext)
{
@@ -995,7 +991,7 @@
DeviceObject, /* Device object */
TransportObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (!*Irp) {
AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1040,7 +1036,7 @@
BufferLength); /* Length of data */
- TdiCall(*Irp, DeviceObject, NULL, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL, NULL);
/* Does not block... The MDL is deleted in the receive completion
routine. */
@@ -1055,7 +1051,6 @@
PCHAR Buffer,
UINT BufferLength,
PTDI_CONNECTION_INFORMATION Addr,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext)
/*
@@ -1090,7 +1085,7 @@
DeviceObject, /* Device object */
TransportObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (!*Irp) {
AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1134,7 +1129,7 @@
Addr,
Flags); /* Length of data */
- TdiCall(*Irp, DeviceObject, NULL, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL, NULL);
/* Does not block... The MDL is deleted in the receive completion
routine. */
@@ -1148,7 +1143,6 @@
PCHAR Buffer,
UINT BufferLength,
PTDI_CONNECTION_INFORMATION Addr,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext)
/*
@@ -1185,7 +1179,7 @@
DeviceObject, /* Device object */
TransportObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (!*Irp) {
AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1228,7 +1222,7 @@
BufferLength, /* Bytes to send */
Addr); /* Address */
- TdiCall(*Irp, DeviceObject, NULL, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL, NULL);
/* Does not block... The MDL is deleted in the send completion
routine. */
@@ -1240,7 +1234,6 @@
PFILE_OBJECT TransportObject,
PLARGE_INTEGER Time,
USHORT Flags,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext,
PTDI_CONNECTION_INFORMATION RequestConnectionInfo,
@@ -1264,7 +1257,7 @@
DeviceObject, /* Device object */
TransportObject, /* File object */
NULL, /* Event */
- Iosb); /* Status */
+ NULL); /* Status */
if (!*Irp) {
AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1281,7 +1274,7 @@
RequestConnectionInfo, /* Indication of who to disconnect */
ReturnConnectionInfo); /* Indication of who disconnected */
- TdiCall(*Irp, DeviceObject, NULL, Iosb);
+ TdiCall(*Irp, DeviceObject, NULL, NULL);
return STATUS_PENDING;
}
Modified: trunk/reactos/drivers/network/afd/afd/write.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/wr…
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/write.c [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -243,7 +243,6 @@
0,
FCB->Send.Window,
FCB->Send.BytesUsed,
- &FCB->SendIrp.Iosb,
SendComplete,
FCB );
}
@@ -385,7 +384,6 @@
SendReq->BufferArray[0].buf,
SendReq->BufferArray[0].len,
TargetAddress,
- &FCB->SendIrp.Iosb,
PacketSocketSendComplete,
FCB);
}
@@ -549,7 +547,6 @@
0,
FCB->Send.Window,
FCB->Send.BytesUsed,
- &FCB->SendIrp.Iosb,
SendComplete,
FCB);
}
@@ -645,7 +642,6 @@
SendReq->BufferArray[0].buf,
SendReq->BufferArray[0].len,
TargetAddress,
- &FCB->SendIrp.Iosb,
PacketSocketSendComplete,
FCB);
}
Modified: trunk/reactos/drivers/network/afd/include/afd.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/includ…
==============================================================================
--- trunk/reactos/drivers/network/afd/include/afd.h [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/include/afd.h [iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -152,7 +152,6 @@
typedef struct _AFD_IN_FLIGHT_REQUEST {
PIRP InFlightRequest;
- IO_STATUS_BLOCK Iosb;
PTDI_CONNECTION_INFORMATION ConnectionCallInfo;
PTDI_CONNECTION_INFORMATION ConnectionReturnInfo;
} AFD_IN_FLIGHT_REQUEST, *PAFD_IN_FLIGHT_REQUEST;
@@ -369,7 +368,6 @@
PFILE_OBJECT ConnectionObject,
PTDI_CONNECTION_INFORMATION *RequestConnectionInfo,
PTDI_CONNECTION_INFORMATION *ReturnConnectionInfo,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext);
@@ -379,7 +377,6 @@
USHORT Flags,
PCHAR Buffer,
UINT BufferLength,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext);
@@ -389,7 +386,6 @@
USHORT Flags,
PCHAR Buffer,
UINT BufferLength,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext);
@@ -400,7 +396,6 @@
PCHAR Buffer,
UINT BufferLength,
PTDI_CONNECTION_INFORMATION From,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext);
@@ -410,7 +405,6 @@
PCHAR Buffer,
UINT BufferLength,
PTDI_CONNECTION_INFORMATION To,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext);
Modified: trunk/reactos/drivers/network/afd/include/tdi_proto.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/includ…
==============================================================================
--- trunk/reactos/drivers/network/afd/include/tdi_proto.h [iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/include/tdi_proto.h [iso-8859-1] Sun Oct 19 22:12:06
2014
@@ -4,7 +4,6 @@
PFILE_OBJECT ConnectionObject,
PTDI_CONNECTION_INFORMATION ConnectionCallInfo,
PTDI_CONNECTION_INFORMATION ConnectionReturnInfo,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext );
@@ -20,7 +19,6 @@
PFILE_OBJECT TransportObject,
PLARGE_INTEGER Time,
USHORT Flags,
- PIO_STATUS_BLOCK Iosb,
PIO_COMPLETION_ROUTINE CompletionRoutine,
PVOID CompletionContext,
PTDI_CONNECTION_INFORMATION RequestConnectionInfo,
3683
days inactive
3683
days old
0 comments
1 participants
participants (1)
-
tfaber@svn.reactos.org