[tfaber] 64838: [AFD] - Do not pass IO_STATUS_BLOCKs when creating IRPs for asynchronous use. Fixes a use-after-free where AfdCloseSocket would cancel IRPs without actually waiting for their comple... - Ros-diffs

19 Oct 2014

Author: tfaber
Date: Sun Oct 19 22:12:06 2014
New Revision: 64838
URL: http://svn.reactos.org/svn/reactos?rev=64838&view=rev
Log:
[AFD]
- Do not pass IO_STATUS_BLOCKs when creating IRPs for asynchronous use. Fixes a use-after-free where AfdCloseSocket would cancel IRPs without actually waiting for their completion, and proceed to free the FCB, which contained these IO_STATUS_BLOCKs.
Note that using TdiBuildInternalDeviceControlIrp for these requests is broken in the first place, since it is intended for synchronous requests and requires a guarantee about the calling thread's lifetime. These functions (and their completion routines) should use IoAllocateIrp/IoReuseIrp/IoFreeIrp instead. However this can be fixed later; the incredibly annoying nonpaged pool corruption due to this that has been around for 10 years should be fixed with this commit.
CORE-8640 #resolve
Modified:
    trunk/reactos/drivers/network/afd/afd/bind.c
    trunk/reactos/drivers/network/afd/afd/connect.c
    trunk/reactos/drivers/network/afd/afd/listen.c
    trunk/reactos/drivers/network/afd/afd/main.c
    trunk/reactos/drivers/network/afd/afd/read.c
    trunk/reactos/drivers/network/afd/afd/tdi.c
    trunk/reactos/drivers/network/afd/afd/write.c
    trunk/reactos/drivers/network/afd/include/afd.h
    trunk/reactos/drivers/network/afd/include/tdi_proto.h
Modified: trunk/reactos/drivers/network/afd/afd/bind.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/bin...
==============================================================================

--- trunk/reactos/drivers/network/afd/afd/bind.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/bind.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -56,7 +56,6 @@
                                         FCB->Recv.Window,
                                         FCB->Recv.Size,
                                         FCB->AddressFrom,
-                                        &FCB->ReceiveIrp.Iosb,
                                         PacketSocketRecvComplete,
                                         FCB);
Modified: trunk/reactos/drivers/network/afd/afd/connect.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/con...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/connect.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/connect.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -286,7 +286,6 @@
                          TDI_RECEIVE_NORMAL,
                          FCB->Recv.Window,
                          FCB->Recv.Size,
-                         &FCB->ReceiveIrp.Iosb,
                          ReceiveComplete,
                          FCB );
@@ -518,7 +517,6 @@
                                 FCB->Connection.Object,
                                 FCB->ConnectCallInfo,
                                 FCB->ConnectReturnInfo,
-                                &FCB->ConnectIrp.Iosb,
                                 StreamSocketConnectComplete,
                                 FCB );
         }
Modified: trunk/reactos/drivers/network/afd/afd/listen.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/lis...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/listen.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/listen.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -191,7 +191,6 @@
                             FCB->Connection.Object,
                             &FCB->ListenIrp.ConnectionCallInfo,
                             &FCB->ListenIrp.ConnectionReturnInfo,
-                            &FCB->ListenIrp.Iosb,
                             ListenComplete,
                             FCB );
@@ -268,7 +267,6 @@
                         FCB->Connection.Object,
                         &FCB->ListenIrp.ConnectionCallInfo,
                         &FCB->ListenIrp.ConnectionReturnInfo,
-                        &FCB->ListenIrp.Iosb,
                         ListenComplete,
                         FCB );
Modified: trunk/reactos/drivers/network/afd/afd/main.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/mai...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/main.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/main.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -662,7 +662,6 @@
                            FCB->Connection.Object,
                            &FCB->DisconnectTimeout,
                            FCB->DisconnectFlags,
-                           &FCB->DisconnectIrp.Iosb,
                            DisconnectComplete,
                            FCB,
                            FCB->ConnectCallInfo,
Modified: trunk/reactos/drivers/network/afd/afd/read.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/rea...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/read.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/read.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -46,7 +46,6 @@
                 TDI_RECEIVE_NORMAL,
                 FCB->Recv.Window + FCB->Recv.Content,
                 FCB->Recv.Size - FCB->Recv.Content,
-                &FCB->ReceiveIrp.Iosb,
                 ReceiveComplete,
                 FCB );
 }
@@ -691,7 +690,6 @@
               FCB->Recv.Window,
               FCB->Recv.Size,
               FCB->AddressFrom,
-              &FCB->ReceiveIrp.Iosb,
               PacketSocketRecvComplete,
               FCB );
     }
Modified: trunk/reactos/drivers/network/afd/afd/tdi.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/tdi...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/tdi.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/tdi.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -329,7 +329,6 @@
     PFILE_OBJECT ConnectionObject,
     PTDI_CONNECTION_INFORMATION ConnectionCallInfo,
     PTDI_CONNECTION_INFORMATION ConnectionReturnInfo,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -362,7 +361,7 @@
                                             DeviceObject,            /* Device object */
                                             ConnectionObject,        /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
     if (!*Irp) {
         return STATUS_INSUFFICIENT_RESOURCES;
     }
@@ -376,7 +375,7 @@
                     ConnectionCallInfo,     /* Request connection information */
                     ConnectionReturnInfo);  /* Return connection information */
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
return STATUS_PENDING;
 }
@@ -485,7 +484,6 @@
     PFILE_OBJECT ConnectionObject,
     PTDI_CONNECTION_INFORMATION *RequestConnectionInfo,
     PTDI_CONNECTION_INFORMATION *ReturnConnectionInfo,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE  CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -519,7 +517,7 @@
                                             DeviceObject,            /* Device object */
                                             ConnectionObject,        /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
     if (*Irp == NULL)
         return STATUS_INSUFFICIENT_RESOURCES;
@@ -532,7 +530,7 @@
                    *RequestConnectionInfo, /* Request connection information */
                    *ReturnConnectionInfo);  /* Return connection information */
-    TdiCall(*Irp, DeviceObject, NULL /* Don't wait for completion */, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL /* Don't wait for completion */, NULL);
return STATUS_PENDING;
 }
@@ -892,7 +890,6 @@
     USHORT Flags,
     PCHAR Buffer,
     UINT BufferLength,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 {
@@ -916,7 +913,7 @@
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -958,7 +955,7 @@
                  Flags,                  /* Flags */
                  BufferLength);          /* Length of data */
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the receive completion
        routine. */
@@ -971,7 +968,6 @@
     USHORT Flags,
     PCHAR Buffer,
     UINT BufferLength,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 {
@@ -995,7 +991,7 @@
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1040,7 +1036,7 @@
                     BufferLength);          /* Length of data */
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the receive completion
        routine. */
@@ -1055,7 +1051,6 @@
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION Addr,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -1090,7 +1085,7 @@
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1134,7 +1129,7 @@
                             Addr,
                             Flags);                 /* Length of data */
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the receive completion
        routine. */
@@ -1148,7 +1143,6 @@
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION Addr,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -1185,7 +1179,7 @@
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1228,7 +1222,7 @@
                          BufferLength,           /* Bytes to send */
                          Addr);                  /* Address */
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the send completion
        routine. */
@@ -1240,7 +1234,6 @@
     PFILE_OBJECT TransportObject,
     PLARGE_INTEGER Time,
     USHORT Flags,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext,
     PTDI_CONNECTION_INFORMATION RequestConnectionInfo,
@@ -1264,7 +1257,7 @@
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1281,7 +1274,7 @@
                        RequestConnectionInfo,  /* Indication of who to disconnect */
                        ReturnConnectionInfo);  /* Indication of who disconnected */
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
return STATUS_PENDING;
 }
Modified: trunk/reactos/drivers/network/afd/afd/write.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/afd/wri...
==============================================================================
--- trunk/reactos/drivers/network/afd/afd/write.c	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/afd/write.c	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -243,7 +243,6 @@
                           0,
                           FCB->Send.Window,
                           FCB->Send.BytesUsed,
-                          &FCB->SendIrp.Iosb,
                           SendComplete,
                           FCB );
     }
@@ -385,7 +384,6 @@
                                 SendReq->BufferArray[0].buf,
                                 SendReq->BufferArray[0].len,
                                 TargetAddress,
-                                &FCB->SendIrp.Iosb,
                                 PacketSocketSendComplete,
                                 FCB);
             }
@@ -549,7 +547,6 @@
                 0,
                 FCB->Send.Window,
                 FCB->Send.BytesUsed,
-                &FCB->SendIrp.Iosb,
                 SendComplete,
                 FCB);
     }
@@ -645,7 +642,6 @@
                             SendReq->BufferArray[0].buf,
                             SendReq->BufferArray[0].len,
                             TargetAddress,
-                            &FCB->SendIrp.Iosb,
                             PacketSocketSendComplete,
                             FCB);
         }
Modified: trunk/reactos/drivers/network/afd/include/afd.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/include...
==============================================================================
--- trunk/reactos/drivers/network/afd/include/afd.h	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/include/afd.h	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -152,7 +152,6 @@
typedef struct _AFD_IN_FLIGHT_REQUEST {
     PIRP InFlightRequest;
-    IO_STATUS_BLOCK Iosb;
     PTDI_CONNECTION_INFORMATION ConnectionCallInfo;
     PTDI_CONNECTION_INFORMATION ConnectionReturnInfo;
 } AFD_IN_FLIGHT_REQUEST, *PAFD_IN_FLIGHT_REQUEST;
@@ -369,7 +368,6 @@
   PFILE_OBJECT ConnectionObject,
   PTDI_CONNECTION_INFORMATION *RequestConnectionInfo,
   PTDI_CONNECTION_INFORMATION *ReturnConnectionInfo,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE  CompletionRoutine,
   PVOID CompletionContext);
@@ -379,7 +377,6 @@
   USHORT Flags,
   PCHAR Buffer,
   UINT BufferLength,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE  CompletionRoutine,
   PVOID CompletionContext);
@@ -389,7 +386,6 @@
   USHORT Flags,
   PCHAR Buffer,
   UINT BufferLength,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE  CompletionRoutine,
   PVOID CompletionContext);
@@ -400,7 +396,6 @@
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION From,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext);
@@ -410,7 +405,6 @@
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION To,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext);
Modified: trunk/reactos/drivers/network/afd/include/tdi_proto.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/network/afd/include...
==============================================================================
--- trunk/reactos/drivers/network/afd/include/tdi_proto.h	[iso-8859-1] (original)
+++ trunk/reactos/drivers/network/afd/include/tdi_proto.h	[iso-8859-1] Sun Oct 19 22:12:06 2014
@@ -4,7 +4,6 @@
    	     PFILE_OBJECT ConnectionObject,
    	     PTDI_CONNECTION_INFORMATION ConnectionCallInfo,
    	     PTDI_CONNECTION_INFORMATION ConnectionReturnInfo,
-		     PIO_STATUS_BLOCK Iosb,
    	     PIO_COMPLETION_ROUTINE CompletionRoutine,
    	     PVOID CompletionContext );
@@ -20,7 +19,6 @@
   PFILE_OBJECT TransportObject,
   PLARGE_INTEGER Time,
   USHORT Flags,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE CompletionRoutine,
   PVOID CompletionContext,
   PTDI_CONNECTION_INFORMATION RequestConnectionInfo,

    