From c72bfe8de20fb2f110c728baa94c9832fb8640e6 Mon Sep 17 00:00:00 2001
From: Aleksey Bragin <aleksey@reactos.org>
Date: Wed, 23 Apr 2008 16:40:08 +0000
Subject: [PATCH] - Fix logic bugs in LpcRequestPort (which is not the same as
 NtRequestPort as someone incorrectly assumed previously) and also
 reference/dereference the process who owns the server mapping.

svn path=/trunk/; revision=33128
---
 reactos/ntoskrnl/lpc/close.c   |  2 +-
 reactos/ntoskrnl/lpc/connect.c |  2 +-
 reactos/ntoskrnl/lpc/send.c    | 80 ++++++++++++++++++++--------------
 3 files changed, 50 insertions(+), 34 deletions(-)

diff --git a/reactos/ntoskrnl/lpc/close.c b/reactos/ntoskrnl/lpc/close.c
index 89ec7d38747..d142d0f50a9 100644
--- a/reactos/ntoskrnl/lpc/close.c
+++ b/reactos/ntoskrnl/lpc/close.c
@@ -374,7 +374,7 @@ LpcpDeletePort(IN PVOID ObjectBody)
         }
 
         /* Dereference the mapping process */
-        //ObDereferenceObject(Port->MappingProcess);
+        ObDereferenceObject(Port->MappingProcess);
         Port->MappingProcess = NULL;
     }
 
diff --git a/reactos/ntoskrnl/lpc/connect.c b/reactos/ntoskrnl/lpc/connect.c
index 1d71c382a05..38d22c9b1c6 100644
--- a/reactos/ntoskrnl/lpc/connect.c
+++ b/reactos/ntoskrnl/lpc/connect.c
@@ -299,7 +299,7 @@ NtSecureConnectPort(OUT PHANDLE PortHandle,
 
         /* Reference and remember the process */
         ClientPort->MappingProcess = PsGetCurrentProcess();
-        //ObReferenceObject(ClientPort->MappingProcess);
+        ObReferenceObject(ClientPort->MappingProcess);
     }
     else
     {
diff --git a/reactos/ntoskrnl/lpc/send.c b/reactos/ntoskrnl/lpc/send.c
index e1d6cbd7dfd..f0bbaaf1f72 100644
--- a/reactos/ntoskrnl/lpc/send.c
+++ b/reactos/ntoskrnl/lpc/send.c
@@ -198,28 +198,41 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
     if (Thread->LpcExitThreadCalled) return STATUS_THREAD_IS_TERMINATING;
 
     /* Check if this is an LPC Request */
-    if (LpcpGetMessageType(LpcRequest) == LPC_REQUEST)
-    {
-        /* Then it's a callback */
-        Callback = TRUE;
-    }
-    else
-    {
-        /* This is a kernel-mode message without a callback */
-        LpcRequest->u2.s2.Type |= LPC_REQUEST;
-        Callback = FALSE;
-    }
-
-    /* Get the message type */
-    MessageType = LpcRequest->u2.s2.Type;
-
-    /* Validate the length */
-    if (((ULONG)LpcRequest->u1.s1.DataLength + sizeof(PORT_MESSAGE)) >
-         (ULONG)LpcRequest->u1.s1.TotalLength)
+    MessageType = LpcpGetMessageType(LpcRequest);
+    switch (MessageType)
     {
-        /* Fail */
-        return STATUS_INVALID_PARAMETER;
+        /* No type */
+        case 0:
+            
+            /* Assume LPC request */
+            MessageType = LPC_REQUEST;
+            break;
+        
+        /* LPC request callback */
+        case LPC_REQUEST:
+            
+            /* This is a callback */
+            Callback = TRUE;
+            break;
+        
+        /* Anything else */
+        case LPC_CLIENT_DIED:
+        case LPC_PORT_CLOSED:
+        case LPC_EXCEPTION:
+        case LPC_DEBUG_EVENT:
+        case LPC_ERROR_EVENT:
+            
+            /* Nothing to do */
+            break;
+            
+        default:
+            
+            /* Invalid message type */
+            return STATUS_INVALID_PARAMETER;
     }
+    
+    /* Set the request type */
+    LpcRequest->u2.s2.Type = MessageType;
 
     /* Validate the message length */
     if (((ULONG)LpcRequest->u1.s1.TotalLength > Port->MaxMessageLength) ||
@@ -250,7 +263,7 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
         LpcpMoveMessage(&Message->Request,
                         LpcRequest,
                         LpcRequest + 1,
-                        MessageType,
+                        0,
                         &Thread->Cid);
 
         /* Acquire the LPC lock */
@@ -383,19 +396,21 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
                             (&Message->Request) + 1,
                             0,
                             NULL);
-
-            /* Check if this is an LPC request with data information */
-            if ((LpcpGetMessageType(&Message->Request) == LPC_REQUEST) &&
-                (Message->Request.u2.s2.DataInfoOffset))
+            
+            /* Acquire the lock */
+            KeAcquireGuardedMutex(&LpcpLock);
+            
+            /* Check if we replied to a thread */
+            if (Message->RepliedToThread)
             {
-                /* Save the data information */
-                LpcpSaveDataInfoMessage(Port, Message, 0);
-            }
-            else
-            {
-                /* Otherwise, just free it */
-                LpcpFreeToPortZone(Message, 0);
+                /* Dereference */
+                ObDereferenceObject(Message->RepliedToThread);
+                Message->RepliedToThread = NULL;
             }
+
+
+            /* Free the message */
+            LpcpFreeToPortZone(Message, 3);
         }
         else
         {
@@ -415,6 +430,7 @@ LpcRequestWaitReplyPort(IN PVOID PortObject,
              Port,
              Status);
 
+    /* Dereference the connection port */
     if (ConnectionPort) ObDereferenceObject(ConnectionPort);
     return Status;
 }
-- 
2.17.1