[Wine-patches] [eterhack 1/2] ntoskrnl: Don't free IRP after IoCallDriver. (eterbug #10621)

Dmitry Timoshkov dtimoshkov на etersoft.ru
Вт Ноя 10 11:32:56 MSK 2015


Every driver always calls IoCompleteRequest once the request has been
processed, and IoCompleteRequest is supposed to free IRP on its own.
This patch fixes heap corruption caused by double freeing an IRP.
---
 dlls/ntoskrnl.exe/ntoskrnl.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 01a7193..892c240 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -294,7 +294,6 @@ static NTSTATUS get_device_id( DEVICE_OBJECT *pdo, BUS_QUERY_ID_TYPE id_type,
     status = IoCallDriver( pdo, irp );
     if (status == STATUS_SUCCESS)
         *id = (WCHAR *)irp->IoStatus.Information;
-    IoFreeIrp( irp );
     return status;
 }
 
@@ -888,7 +887,6 @@ static NTSTATUS process_read( DEVICE_OBJECT *device, void *buff, ULONG *size )
     KeQueryTickCount( &count );  /* update the global KeTickCount */
     status = IoCallDriver( device, irp );
     *size = (status == STATUS_SUCCESS) ? irp->IoStatus.Information : 0;
-    IoFreeIrp( irp );
     return status;
 }
 
@@ -931,7 +929,6 @@ static NTSTATUS process_write( DEVICE_OBJECT *device, void *buff, ULONG *size )
     irp->IoStatus.Information = *size;
     if (irp->MdlAddress == NULL)  /* for UPKey.sys */
         *size = (status == STATUS_SUCCESS) ? irp->IoStatus.Information : 0;
-    IoFreeIrp( irp );
     return status;
 }
 
@@ -1151,7 +1148,6 @@ NTSTATUS CDECL __wine_start_device( DEVICE_OBJECT *device )
     irpsp->DeviceObject = device;
     device->CurrentIrp = irp;
     status = IoCallDriver( device, irp );
-    IoFreeIrp( irp );
     return status;
 }
 
@@ -1797,7 +1793,6 @@ void WINAPI IoInvalidateDeviceRelations( PDEVICE_OBJECT DeviceObject,
 
             for (k = 0; k < rel->Count; ++k)
             {
-                IoFreeIrp( irp );
                 irp = IoAllocateIrp( rel->Objects[k]->StackSize, FALSE );
                 if (irp == NULL) return;
                 irpsp = IoGetNextIrpStackLocation( irp );
@@ -1827,7 +1822,6 @@ void WINAPI IoInvalidateDeviceRelations( PDEVICE_OBJECT DeviceObject,
             }
             ExFreePool( rel );
         }
-        IoFreeIrp( irp );
     }
     else
         FIXME( "DEVICE_RELATION_TYPE %u not implemented\n", Type );
-- 
2.6.3



Подробная информация о списке рассылки Wine-patches