[AFD]

- Do not pass IO_STATUS_BLOCKs when creating IRPs for asynchronous use. Fixes a use-after-free where AfdCloseSocket would cancel IRPs without actually waiting for their completion, and proceed to free the FCB, which contained these IO_STATUS_BLOCKs.
Note that using TdiBuildInternalDeviceControlIrp for these requests is broken in the first place, since it is intended for synchronous requests and requires a guarantee about the calling thread's lifetime. These functions (and their completion routines) should use IoAllocateIrp/IoReuseIrp/IoFreeIrp instead. However this can be fixed later; the incredibly annoying nonpaged pool corruption due to this that has been around for 10 years should be fixed with this commit.
CORE-8640 #resolve

svn path=/trunk/; revision=64838

diff --git a/reactos/drivers/network/afd/afd/bind.c b/reactos/drivers/network/afd/afd/bind.c
index 21a64fe..15767d0 100644 (file)
--- a/reactos/drivers/network/afd/afd/bind.c
+++ b/reactos/drivers/network/afd/afd/bind.c
@@ -56,7 +56,6 @@ NTSTATUS WarmSocketForBind( PAFD_FCB FCB, ULONG ShareType ) {
                                         FCB->Recv.Window,
                                         FCB->Recv.Size,
                                         FCB->AddressFrom,
-                                        &FCB->ReceiveIrp.Iosb,
                                         PacketSocketRecvComplete,
                                         FCB);
 

diff --git a/reactos/drivers/network/afd/afd/connect.c b/reactos/drivers/network/afd/afd/connect.c
index 7a08fdf..0144741 100644 (file)
--- a/reactos/drivers/network/afd/afd/connect.c
+++ b/reactos/drivers/network/afd/afd/connect.c
@@ -286,7 +286,6 @@ MakeSocketIntoConnection(PAFD_FCB FCB) {
                          TDI_RECEIVE_NORMAL,
                          FCB->Recv.Window,
                          FCB->Recv.Size,
-                         &FCB->ReceiveIrp.Iosb,
                          ReceiveComplete,
                          FCB );
 
@@ -518,7 +517,6 @@ AfdStreamSocketConnect(PDEVICE_OBJECT DeviceObject, PIRP Irp,
                                 FCB->Connection.Object,
                                 FCB->ConnectCallInfo,
                                 FCB->ConnectReturnInfo,
-                                &FCB->ConnectIrp.Iosb,
                                 StreamSocketConnectComplete,
                                 FCB );
         }

diff --git a/reactos/drivers/network/afd/afd/listen.c b/reactos/drivers/network/afd/afd/listen.c
index 94893fc..120ad11 100644 (file)
--- a/reactos/drivers/network/afd/afd/listen.c
+++ b/reactos/drivers/network/afd/afd/listen.c
@@ -191,7 +191,6 @@ static NTSTATUS NTAPI ListenComplete( PDEVICE_OBJECT DeviceObject,
                             FCB->Connection.Object,
                             &FCB->ListenIrp.ConnectionCallInfo,
                             &FCB->ListenIrp.ConnectionReturnInfo,
-                            &FCB->ListenIrp.Iosb,
                             ListenComplete,
                             FCB );
 
@@ -268,7 +267,6 @@ NTSTATUS AfdListenSocket( PDEVICE_OBJECT DeviceObject, PIRP Irp,
                         FCB->Connection.Object,
                         &FCB->ListenIrp.ConnectionCallInfo,
                         &FCB->ListenIrp.ConnectionReturnInfo,
-                        &FCB->ListenIrp.Iosb,
                         ListenComplete,
                         FCB );
 

diff --git a/reactos/drivers/network/afd/afd/main.c b/reactos/drivers/network/afd/afd/main.c
index 97da39b..c4feb08 100644 (file)
--- a/reactos/drivers/network/afd/afd/main.c
+++ b/reactos/drivers/network/afd/afd/main.c
@@ -662,7 +662,6 @@ DoDisconnect(PAFD_FCB FCB)
                            FCB->Connection.Object,
                            &FCB->DisconnectTimeout,
                            FCB->DisconnectFlags,
-                           &FCB->DisconnectIrp.Iosb,
                            DisconnectComplete,
                            FCB,
                            FCB->ConnectCallInfo,

diff --git a/reactos/drivers/network/afd/afd/read.c b/reactos/drivers/network/afd/afd/read.c
index 6e02a67..935379e 100644 (file)
--- a/reactos/drivers/network/afd/afd/read.c
+++ b/reactos/drivers/network/afd/afd/read.c
@@ -46,7 +46,6 @@ static VOID RefillSocketBuffer( PAFD_FCB FCB )
                 TDI_RECEIVE_NORMAL,
                 FCB->Recv.Window + FCB->Recv.Content,
                 FCB->Recv.Size - FCB->Recv.Content,
-                &FCB->ReceiveIrp.Iosb,
                 ReceiveComplete,
                 FCB );
 }
@@ -691,7 +690,6 @@ PacketSocketRecvComplete(
               FCB->Recv.Window,
               FCB->Recv.Size,
               FCB->AddressFrom,
-              &FCB->ReceiveIrp.Iosb,
               PacketSocketRecvComplete,
               FCB );
     }

diff --git a/reactos/drivers/network/afd/afd/tdi.c b/reactos/drivers/network/afd/afd/tdi.c
index a36a09d..333462e 100644 (file)
--- a/reactos/drivers/network/afd/afd/tdi.c
+++ b/reactos/drivers/network/afd/afd/tdi.c
@@ -329,7 +329,6 @@ NTSTATUS TdiConnect(
     PFILE_OBJECT ConnectionObject,
     PTDI_CONNECTION_INFORMATION ConnectionCallInfo,
     PTDI_CONNECTION_INFORMATION ConnectionReturnInfo,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -362,7 +361,7 @@ NTSTATUS TdiConnect(
                                             DeviceObject,            /* Device object */
                                             ConnectionObject,        /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
     if (!*Irp) {
         return STATUS_INSUFFICIENT_RESOURCES;
     }
@@ -376,7 +375,7 @@ NTSTATUS TdiConnect(
                     ConnectionCallInfo,     /* Request connection information */
                     ConnectionReturnInfo);  /* Return connection information */
 
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
 
     return STATUS_PENDING;
 }
@@ -485,7 +484,6 @@ NTSTATUS TdiListen(
     PFILE_OBJECT ConnectionObject,
     PTDI_CONNECTION_INFORMATION *RequestConnectionInfo,
     PTDI_CONNECTION_INFORMATION *ReturnConnectionInfo,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE  CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -519,7 +517,7 @@ NTSTATUS TdiListen(
                                             DeviceObject,            /* Device object */
                                             ConnectionObject,        /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
     if (*Irp == NULL)
         return STATUS_INSUFFICIENT_RESOURCES;
 
@@ -532,7 +530,7 @@ NTSTATUS TdiListen(
                    *RequestConnectionInfo, /* Request connection information */
                    *ReturnConnectionInfo);  /* Return connection information */
 
-    TdiCall(*Irp, DeviceObject, NULL /* Don't wait for completion */, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL /* Don't wait for completion */, NULL);
 
     return STATUS_PENDING;
 }
@@ -892,7 +890,6 @@ NTSTATUS TdiSend(
     USHORT Flags,
     PCHAR Buffer,
     UINT BufferLength,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 {
@@ -916,7 +913,7 @@ NTSTATUS TdiSend(
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
 
     if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -958,7 +955,7 @@ NTSTATUS TdiSend(
                  Flags,                  /* Flags */
                  BufferLength);          /* Length of data */
 
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the receive completion
        routine. */
 
@@ -971,7 +968,6 @@ NTSTATUS TdiReceive(
     USHORT Flags,
     PCHAR Buffer,
     UINT BufferLength,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 {
@@ -995,7 +991,7 @@ NTSTATUS TdiReceive(
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
 
     if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1040,7 +1036,7 @@ NTSTATUS TdiReceive(
                     BufferLength);          /* Length of data */
 
 
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the receive completion
        routine. */
 
@@ -1055,7 +1051,6 @@ NTSTATUS TdiReceiveDatagram(
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION Addr,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -1090,7 +1085,7 @@ NTSTATUS TdiReceiveDatagram(
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
 
     if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1134,7 +1129,7 @@ NTSTATUS TdiReceiveDatagram(
                             Addr,
                             Flags);                 /* Length of data */
 
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the receive completion
        routine. */
 
@@ -1148,7 +1143,6 @@ NTSTATUS TdiSendDatagram(
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION Addr,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext)
 /*
@@ -1185,7 +1179,7 @@ NTSTATUS TdiSendDatagram(
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
 
     if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1228,7 +1222,7 @@ NTSTATUS TdiSendDatagram(
                          BufferLength,           /* Bytes to send */
                          Addr);                  /* Address */
 
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
     /* Does not block...  The MDL is deleted in the send completion
        routine. */
 
@@ -1240,7 +1234,6 @@ NTSTATUS TdiDisconnect(
     PFILE_OBJECT TransportObject,
     PLARGE_INTEGER Time,
     USHORT Flags,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext,
     PTDI_CONNECTION_INFORMATION RequestConnectionInfo,
@@ -1264,7 +1257,7 @@ NTSTATUS TdiDisconnect(
                                             DeviceObject,            /* Device object */
                                             TransportObject,         /* File object */
                                             NULL,                    /* Event */
-                                            Iosb);                   /* Status */
+                                            NULL);                   /* Status */
 
     if (!*Irp) {
         AFD_DbgPrint(MIN_TRACE, ("Insufficient resources.\n"));
@@ -1281,7 +1274,7 @@ NTSTATUS TdiDisconnect(
                        RequestConnectionInfo,  /* Indication of who to disconnect */
                        ReturnConnectionInfo);  /* Indication of who disconnected */
 
-    TdiCall(*Irp, DeviceObject, NULL, Iosb);
+    TdiCall(*Irp, DeviceObject, NULL, NULL);
 
     return STATUS_PENDING;
 }

diff --git a/reactos/drivers/network/afd/afd/write.c b/reactos/drivers/network/afd/afd/write.c
index 3f07109..b91593c 100644 (file)
--- a/reactos/drivers/network/afd/afd/write.c
+++ b/reactos/drivers/network/afd/afd/write.c
@@ -243,7 +243,6 @@ static NTSTATUS NTAPI SendComplete
                           0,
                           FCB->Send.Window,
                           FCB->Send.BytesUsed,
-                          &FCB->SendIrp.Iosb,
                           SendComplete,
                           FCB );
     }
@@ -385,7 +384,6 @@ AfdConnectedSocketWriteData(PDEVICE_OBJECT DeviceObject, PIRP Irp,
                                 SendReq->BufferArray[0].buf,
                                 SendReq->BufferArray[0].len,
                                 TargetAddress,
-                                &FCB->SendIrp.Iosb,
                                 PacketSocketSendComplete,
                                 FCB);
             }
@@ -549,7 +547,6 @@ AfdConnectedSocketWriteData(PDEVICE_OBJECT DeviceObject, PIRP Irp,
                 0,
                 FCB->Send.Window,
                 FCB->Send.BytesUsed,
-                &FCB->SendIrp.Iosb,
                 SendComplete,
                 FCB);
     }
@@ -645,7 +642,6 @@ AfdPacketSocketWriteData(PDEVICE_OBJECT DeviceObject, PIRP Irp,
                             SendReq->BufferArray[0].buf,
                             SendReq->BufferArray[0].len,
                             TargetAddress,
-                            &FCB->SendIrp.Iosb,
                             PacketSocketSendComplete,
                             FCB);
         }

diff --git a/reactos/drivers/network/afd/include/afd.h b/reactos/drivers/network/afd/include/afd.h
index f27ce8f..36aed14 100644 (file)
--- a/reactos/drivers/network/afd/include/afd.h
+++ b/reactos/drivers/network/afd/include/afd.h
@@ -152,7 +152,6 @@ typedef struct _AFD_TDI_OBJECT_QELT {
 
 typedef struct _AFD_IN_FLIGHT_REQUEST {
     PIRP InFlightRequest;
-    IO_STATUS_BLOCK Iosb;
     PTDI_CONNECTION_INFORMATION ConnectionCallInfo;
     PTDI_CONNECTION_INFORMATION ConnectionReturnInfo;
 } AFD_IN_FLIGHT_REQUEST, *PAFD_IN_FLIGHT_REQUEST;
@@ -369,7 +368,6 @@ NTSTATUS TdiListen
   PFILE_OBJECT ConnectionObject,
   PTDI_CONNECTION_INFORMATION *RequestConnectionInfo,
   PTDI_CONNECTION_INFORMATION *ReturnConnectionInfo,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE  CompletionRoutine,
   PVOID CompletionContext);
 
@@ -379,7 +377,6 @@ NTSTATUS TdiReceive
   USHORT Flags,
   PCHAR Buffer,
   UINT BufferLength,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE  CompletionRoutine,
   PVOID CompletionContext);
 
@@ -389,7 +386,6 @@ NTSTATUS TdiSend
   USHORT Flags,
   PCHAR Buffer,
   UINT BufferLength,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE  CompletionRoutine,
   PVOID CompletionContext);
 
@@ -400,7 +396,6 @@ NTSTATUS TdiReceiveDatagram(
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION From,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext);
 
@@ -410,7 +405,6 @@ NTSTATUS TdiSendDatagram(
     PCHAR Buffer,
     UINT BufferLength,
     PTDI_CONNECTION_INFORMATION To,
-    PIO_STATUS_BLOCK Iosb,
     PIO_COMPLETION_ROUTINE CompletionRoutine,
     PVOID CompletionContext);
 

diff --git a/reactos/drivers/network/afd/include/tdi_proto.h b/reactos/drivers/network/afd/include/tdi_proto.h
index 277cf73..e8ee566 100644 (file)
--- a/reactos/drivers/network/afd/include/tdi_proto.h
+++ b/reactos/drivers/network/afd/include/tdi_proto.h
@@ -4,7 +4,6 @@ NTSTATUS TdiConnect( PIRP *PendingIrp,
                     PFILE_OBJECT ConnectionObject,
                     PTDI_CONNECTION_INFORMATION ConnectionCallInfo,
                     PTDI_CONNECTION_INFORMATION ConnectionReturnInfo,
-                    PIO_STATUS_BLOCK Iosb,
                     PIO_COMPLETION_ROUTINE CompletionRoutine,
                     PVOID CompletionContext );
 
@@ -20,7 +19,6 @@ NTSTATUS TdiDisconnect
   PFILE_OBJECT TransportObject,
   PLARGE_INTEGER Time,
   USHORT Flags,
-  PIO_STATUS_BLOCK Iosb,
   PIO_COMPLETION_ROUTINE CompletionRoutine,
   PVOID CompletionContext,
   PTDI_CONNECTION_INFORMATION RequestConnectionInfo,