/*++ Copyright (c) 1989 Microsoft Corporation Module Name: lpcsend.c Abstract: Local Inter-Process Communication (LPC) request system services. Author: Steve Wood (stevewo) 15-May-1989 Revision History: --*/ #include "lpcp.h" NTSTATUS LpcpRequestWaitReplyPort ( IN PVOID PortAddress, IN PPORT_MESSAGE RequestMessage, OUT PPORT_MESSAGE ReplyMessage, IN KPROCESSOR_MODE AccessMode ); #ifdef ALLOC_PRAGMA #pragma alloc_text(PAGE,NtRequestPort) #pragma alloc_text(PAGE,NtRequestWaitReplyPort) #pragma alloc_text(PAGE,LpcRequestPort) #pragma alloc_text(PAGE,LpcRequestWaitReplyPort) #pragma alloc_text(PAGE,LpcpRequestWaitReplyPort) #pragma alloc_text(PAGE,LpcRequestWaitReplyPortEx) #endif NTSTATUS NtRequestPort ( IN HANDLE PortHandle, IN PPORT_MESSAGE RequestMessage ) /*++ Routine Description: A client and server process send datagram messages using this procedure. The message pointed to by the RequestMessage parameter is placed in the message queue of the port connected to the communication port specified by the PortHandle parameter. This service returns an error if PortHandle is invalid or if the MessageId field of the PortMessage structure is non-zero. Arguments: PortHandle - Specifies the handle of the communication port to send the request message to. RequestMessage - Specifies a pointer to the request message. The Type field of the message is set to LPC_DATAGRAM by the service. Return Value: NTSTATUS - A status code that indicates whether or not the operation was successful. --*/ { PETHREAD CurrentThread; PLPCP_PORT_OBJECT PortObject; PLPCP_PORT_OBJECT QueuePort; PORT_MESSAGE CapturedRequestMessage; ULONG MsgType; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PLPCP_MESSAGE Msg; PLPCP_PORT_OBJECT ConnectionPort = NULL; PAGED_CODE(); // // Get previous processor mode and validate parameters // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForReadSmallStructure( RequestMessage, sizeof( *RequestMessage ), PROBE_ALIGNMENT (PORT_MESSAGE)); CapturedRequestMessage = *RequestMessage; CapturedRequestMessage.u2.s2.Type &= ~LPC_KERNELMODE_MESSAGE; } except( EXCEPTION_EXECUTE_HANDLER ) { return GetExceptionCode(); } if (CapturedRequestMessage.u2.s2.Type != 0) { return STATUS_INVALID_PARAMETER; } } else { // // This is a kernel mode caller // CapturedRequestMessage = *RequestMessage; if ((CapturedRequestMessage.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) != 0) { return STATUS_INVALID_PARAMETER; } } // // Make sure that the caller has given us some data to send // if (CapturedRequestMessage.u2.s2.DataInfoOffset != 0) { return STATUS_INVALID_PARAMETER; } // // Make sure DataLength is valid with respect to header size and total length // if ((((CLONG)CapturedRequestMessage.u1.s1.DataLength) + sizeof( PORT_MESSAGE )) > ((CLONG)CapturedRequestMessage.u1.s1.TotalLength)) { return STATUS_INVALID_PARAMETER; } // // Reference the communication port object by handle. Return status if // unsuccessful. // Status = LpcpReferencePortObject( PortHandle, 0, PreviousMode, &PortObject ); if (!NT_SUCCESS( Status )) { return Status; } // // Validate the message length // if (((ULONG)CapturedRequestMessage.u1.s1.TotalLength > PortObject->MaxMessageLength) || ((ULONG)CapturedRequestMessage.u1.s1.TotalLength <= (ULONG)CapturedRequestMessage.u1.s1.DataLength)) { ObDereferenceObject( PortObject ); return STATUS_PORT_MESSAGE_TOO_LONG; } // // Determine which port to queue the message to and get client // port context if client sending to server. Also validate // length of message being sent. // // // Allocate and initialize the LPC message to send off // Msg = (PLPCP_MESSAGE)LpcpAllocateFromPortZone( CapturedRequestMessage.u1.s1.TotalLength ); if (Msg == NULL) { ObDereferenceObject( PortObject ); return STATUS_NO_MEMORY; } Msg->RepliedToThread = NULL; Msg->PortContext = NULL; MsgType = CapturedRequestMessage.u2.s2.Type | LPC_DATAGRAM; CurrentThread = PsGetCurrentThread(); if (PreviousMode != KernelMode) { try { LpcpMoveMessage( &Msg->Request, &CapturedRequestMessage, (RequestMessage + 1), MsgType, &CurrentThread->Cid ); } except( EXCEPTION_EXECUTE_HANDLER ) { Status = GetExceptionCode(); LpcpFreeToPortZone( Msg, 0 ); ObDereferenceObject( PortObject ); return Status; } } else { LpcpMoveMessage( &Msg->Request, &CapturedRequestMessage, (RequestMessage + 1), MsgType, &CurrentThread->Cid ); } // // Acquire the global Lpc mutex that guards the LpcReplyMessage // field of the thread and the request message queue. Stamp the // request message with a serial number, insert the message at // the tail of the request message queue and remember the address // of the message in the LpcReplyMessage field for the current thread. // LpcpAcquireLpcpLockByThread(CurrentThread); // // Based on what type of port the caller gave us we'll need to get // the port to actually queue the message off to. // if ((PortObject->Flags & PORT_TYPE) != SERVER_CONNECTION_PORT) { // // The caller didn't give us a connection port so find the // connection port for this port. If it is null then we'll // fall through without sending a message // QueuePort = PortObject->ConnectedPort; // // Check if the queue port is in process of going away // if ( QueuePort != NULL) { // // If the port is a client communication port then give the // message the proper port context // if ((PortObject->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { Msg->PortContext = QueuePort->PortContext; ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( PortObject ); return STATUS_PORT_DISCONNECTED; } // // In the case we don't have a CLIENT_COMMUNICATION_PORT nor // SERVER_COMMUNICATION_PORT we'll use the connection port // to queue messages. // } else if ((PortObject->Flags & PORT_TYPE) != SERVER_COMMUNICATION_PORT) { ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( PortObject ); return STATUS_PORT_DISCONNECTED; } } if (ConnectionPort) { ObReferenceObject( ConnectionPort ); } } } else { // // The caller supplied a server connection port so that is the port // we queue off to // QueuePort = PortObject; } // // At this point we have an LPC message ready to send and if queue port is // not null then we have a port to actually send the message off to // if (QueuePort != NULL) { // // Reference the QueuePort to prevent this port evaporating under us // Test if the QueuePort isn't in the process of going away // (i.e. we need to have at least 2 references for this object when // ObReferenceObject returns). Note the LPC lock is still held. // if ( ObReferenceObjectSafe( QueuePort ) ) { // // Finish filling in the message and then insert it in the queue // Msg->Request.MessageId = LpcpGenerateMessageId(); Msg->Request.CallbackId = 0; Msg->SenderPort = PortObject; CurrentThread->LpcReplyMessageId = 0; InsertTailList( &QueuePort->MsgQueue.ReceiveHead, &Msg->Entry ); LpcpTrace(( "%s Send DataGram (%s) Msg %lx [%08x %08x %08x %08x] to Port %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, LpcpMessageTypeName[ Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE ], Msg, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), QueuePort, LpcpGetCreatorName( QueuePort ))); // // Release the mutex, increment the request message queue // semaphore by one for the newly inserted request message // then exit the critical region. // // Disable APCs to prevent this thread from being suspended // before being able to release the semaphore. // KeEnterCriticalRegionThread(&CurrentThread->Tcb); LpcpReleaseLpcpLock(); KeReleaseSemaphore( QueuePort->MsgQueue.Semaphore, LPC_RELEASE_WAIT_INCREMENT, 1L, FALSE ); // // If this is a waitable port then we'll need to set the event for // anyone that was waiting on the port // if ( QueuePort->Flags & PORT_WAITABLE ) { KeSetEvent( &QueuePort->WaitEvent, LPC_RELEASE_WAIT_INCREMENT, FALSE ); } // // Exit the critical region and release the port object // KeLeaveCriticalRegionThread(&CurrentThread->Tcb); if (ConnectionPort) { ObDereferenceObject( ConnectionPort ); } ObDereferenceObject( QueuePort ); ObDereferenceObject( PortObject ); // // And return to our caller. This is the only successful way out // of this routine // return Status; } } // // At this point we have a message but not a valid port to queue it off // to so we'll free up the port object and release the unused message. // LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( PortObject ); if (ConnectionPort) { ObDereferenceObject( ConnectionPort ); } // // And return the error status to our caller // return STATUS_PORT_DISCONNECTED; } NTSTATUS NtRequestWaitReplyPort ( IN HANDLE PortHandle, IN PPORT_MESSAGE RequestMessage, OUT PPORT_MESSAGE ReplyMessage ) /*++ Routine Description: A client and server process can send a request and wait for a reply using the NtRequestWaitReplyPort service. If the Type field of the RequestMessage structure is euqal to LPC_REQUEST, then this is identified as a callback request. The ClientId and MessageId fields are used to identify the thread that is waiting for a reply. This thread is unblocked and the current thread that called this service then blocks waiting for a reply. The Type field of the message is set to LPC_REQUEST by the service. Otherwise the Type field of the message must be zero and it will be set to LPC_REQUEST by the service. The message pointed to by the RequestMessage parameter is placed in the message queue of the port connected to the communication port specified by the PortHandle parameter. This service returns an error if PortHandle is invalid. The calling thread then blocks waiting for a reply. The reply message is stored in the location pointed to by the ReplyMessage parameter. The ClientId, MessageId and message type fields will be filled in by the service. Arguments: PortHandle - Specifies the handle of the communication port to send the request message to. RequestMessage - Specifies a pointer to a request message to send. ReplyMessage - Specifies the address of a variable that will receive the reply message. This parameter may point to the same buffer as the RequestMessage parameter. Return Value: NTSTATUS - A status code that indicates whether or not the operation was successful. --*/ { PLPCP_PORT_OBJECT PortObject; PLPCP_PORT_OBJECT QueuePort; PLPCP_PORT_OBJECT RundownPort; PORT_MESSAGE CapturedRequestMessage; ULONG MsgType; PKSEMAPHORE ReleaseSemaphore; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PLPCP_MESSAGE Msg; PETHREAD CurrentThread; PETHREAD WakeupThread; BOOLEAN CallbackRequest; PORT_DATA_INFORMATION CapturedDataInfo; PLPCP_PORT_OBJECT ConnectionPort = NULL; LOGICAL NoImpersonate; PAGED_CODE(); // // We cannot wait for a reply if the current thread is exiting // CurrentThread = PsGetCurrentThread(); if (CurrentThread->LpcExitThreadCalled) { return STATUS_THREAD_IS_TERMINATING; } // // Get previous processor mode and probe output arguments if necessary. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForReadSmallStructure( RequestMessage, sizeof( *RequestMessage ), PROBE_ALIGNMENT (PORT_MESSAGE)); CapturedRequestMessage = *RequestMessage; CapturedRequestMessage.u2.s2.Type &= ~LPC_KERNELMODE_MESSAGE; ProbeForWriteSmallStructure( ReplyMessage, sizeof( *ReplyMessage ), PROBE_ALIGNMENT (PORT_MESSAGE)); // // Make sure that if this message has a data info offset that // the port data information actually fits in the message. // // We first check that the DataInfoOffset doesn't put us beyond // the end of the message. // // Then we capture the data info record and compute a pointer to // the first unused data entry based on the supplied count. If // the start of the message plus its total length doesn't come // up to the first unused data entry then the last valid data // entry doesn't fit in the message buffer. Also if the data // entry pointer that we compute is less than the data info // pointer then we must have wrapped. // if (CapturedRequestMessage.u2.s2.DataInfoOffset != 0) { PPORT_DATA_INFORMATION DataInfo; PPORT_DATA_ENTRY DataEntry; if (((ULONG)CapturedRequestMessage.u2.s2.DataInfoOffset) > (CapturedRequestMessage.u1.s1.TotalLength - sizeof(PORT_DATA_INFORMATION))) { return STATUS_INVALID_PARAMETER; } if ((ULONG)CapturedRequestMessage.u2.s2.DataInfoOffset < sizeof(PORT_MESSAGE)) { return STATUS_INVALID_PARAMETER; } DataInfo = (PPORT_DATA_INFORMATION)(((PUCHAR)RequestMessage) + CapturedRequestMessage.u2.s2.DataInfoOffset); ProbeForReadSmallStructure( DataInfo, sizeof( *DataInfo ), PROBE_ALIGNMENT (PORT_DATA_INFORMATION)); CapturedDataInfo = *DataInfo; if (CapturedDataInfo.CountDataEntries > ((CapturedRequestMessage.u1.s1.TotalLength - CapturedRequestMessage.u2.s2.DataInfoOffset) / sizeof(PORT_DATA_ENTRY))) { return STATUS_INVALID_PARAMETER; } DataEntry = &(DataInfo->DataEntries[CapturedDataInfo.CountDataEntries]); if ( ((PUCHAR)DataEntry < (PUCHAR)DataInfo) || ((((PUCHAR)RequestMessage) + CapturedRequestMessage.u1.s1.TotalLength) < (PUCHAR)DataEntry)) { return STATUS_INVALID_PARAMETER; } } } except( EXCEPTION_EXECUTE_HANDLER ) { return GetExceptionCode(); } } else { CapturedRequestMessage = *RequestMessage; if (CapturedRequestMessage.u2.s2.DataInfoOffset != 0) { PPORT_DATA_INFORMATION DataInfo; DataInfo = (PPORT_DATA_INFORMATION)(((PUCHAR)RequestMessage) + CapturedRequestMessage.u2.s2.DataInfoOffset); CapturedDataInfo = *DataInfo; } } // // Capture the NoImpersonateFlag and clear the bit if necessary // if (CapturedRequestMessage.u2.s2.Type & LPC_NO_IMPERSONATE) { NoImpersonate = TRUE; CapturedRequestMessage.u2.s2.Type &= ~LPC_NO_IMPERSONATE; } else { NoImpersonate = FALSE; } // // If the message type is an lpc request then say we need a callback. // Otherwise if it not an lpc request and it is not a kernel mode message // then it is an illegal parameter. A third case is if the type is // a kernel mode message in which case we make it look like an lpc request // but without the callback. // if ((CapturedRequestMessage.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) == LPC_REQUEST) { CallbackRequest = TRUE; } else if ((CapturedRequestMessage.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) != 0) { return STATUS_INVALID_PARAMETER; } else { CapturedRequestMessage.u2.s2.Type |= LPC_REQUEST; CallbackRequest = FALSE; } // // Make sure DataLength is valid with respect to header size and total length // if ((((CLONG)CapturedRequestMessage.u1.s1.DataLength) + sizeof( PORT_MESSAGE )) > ((CLONG)CapturedRequestMessage.u1.s1.TotalLength)) { return STATUS_INVALID_PARAMETER; } // // Reference the communication port object by handle. Return status if // unsuccessful. // Status = LpcpReferencePortObject( PortHandle, 0, PreviousMode, &PortObject ); if (!NT_SUCCESS( Status )) { return Status; } // // Validate the message length // if (((ULONG)CapturedRequestMessage.u1.s1.TotalLength > PortObject->MaxMessageLength) || ((ULONG)CapturedRequestMessage.u1.s1.TotalLength <= (ULONG)CapturedRequestMessage.u1.s1.DataLength)) { ObDereferenceObject( PortObject ); return STATUS_PORT_MESSAGE_TOO_LONG; } // // Determine which port to queue the message to and get client // port context if client sending to server. Also validate // length of message being sent. // // // Allocate and initialize the LPC message to send off // Msg = (PLPCP_MESSAGE)LpcpAllocateFromPortZone( CapturedRequestMessage.u1.s1.TotalLength ); if (Msg == NULL) { ObDereferenceObject( PortObject ); return STATUS_NO_MEMORY; } MsgType = CapturedRequestMessage.u2.s2.Type; // // Check if we need to do a callback // if (CallbackRequest) { // // Check for a valid request message id // if (CapturedRequestMessage.MessageId == 0) { LpcpFreeToPortZone( Msg, 0 ); ObDereferenceObject( PortObject ); return STATUS_INVALID_PARAMETER; } // // Translate the ClientId from the request into a // thread pointer. This is a referenced pointer to keep the thread // from evaporating out from under us. // Status = PsLookupProcessThreadByCid( &CapturedRequestMessage.ClientId, NULL, &WakeupThread ); if (!NT_SUCCESS( Status )) { LpcpFreeToPortZone( Msg, 0 ); ObDereferenceObject( PortObject ); return Status; } // // Acquire the mutex that guards the LpcReplyMessage field of // the thread and get the pointer to the message that the thread // is waiting for a reply to. // LpcpAcquireLpcpLockByThread(CurrentThread); // // See if the thread is waiting for a reply to the message // specified on this call. If not then a bogus message has been // specified, so release the mutex, dereference the thread // and return failure. // if ((WakeupThread->LpcReplyMessageId != CapturedRequestMessage.MessageId) || ((LpcpGetThreadMessage(WakeupThread) != NULL) && (LpcpGetThreadMessage(WakeupThread)->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) != LPC_REQUEST) || (!LpcpValidateClientPort(WakeupThread, PortObject, LPCP_VALIDATE_REASON_REPLY)) ) { LpcpPrint(( "%s Attempted CallBack Request to Thread %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, WakeupThread, THREAD_TO_PROCESS( WakeupThread )->ImageFileName )); LpcpPrint(( "failed. MessageId == %u Client Id: %x.%x\n", CapturedRequestMessage.MessageId, CapturedRequestMessage.ClientId.UniqueProcess, CapturedRequestMessage.ClientId.UniqueThread )); LpcpPrint(( " Thread MessageId == %u Client Id: %x.%x\n", WakeupThread->LpcReplyMessageId, WakeupThread->Cid.UniqueProcess, WakeupThread->Cid.UniqueThread )); #if DBG if (LpcpStopOnReplyMismatch) { DbgBreakPoint(); } #endif LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( WakeupThread ); ObDereferenceObject( PortObject ); return STATUS_REPLY_MESSAGE_MISMATCH; } // // Copy over the text of the message // try { LpcpMoveMessage( &Msg->Request, &CapturedRequestMessage, (RequestMessage + 1), MsgType, &CurrentThread->Cid ); if (CapturedRequestMessage.u2.s2.DataInfoOffset != 0) { PPORT_DATA_INFORMATION DataInfo; DataInfo = (PPORT_DATA_INFORMATION)(((PUCHAR)&Msg->Request) + CapturedRequestMessage.u2.s2.DataInfoOffset); if ( DataInfo->CountDataEntries != CapturedDataInfo.CountDataEntries ) { Status = STATUS_INVALID_PARAMETER; } } } except( EXCEPTION_EXECUTE_HANDLER ) { Status = GetExceptionCode(); } if (!NT_SUCCESS( Status )) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( WakeupThread ); ObDereferenceObject( PortObject ); return Status; } // // Under the protect of the global lock we'll get everything // ready for the callback // QueuePort = NULL; Msg->PortContext = NULL; if ((PortObject->Flags & PORT_TYPE) == SERVER_CONNECTION_PORT) { RundownPort = PortObject; } else { RundownPort = PortObject->ConnectedPort; if (RundownPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( WakeupThread ); ObDereferenceObject( PortObject ); return STATUS_PORT_DISCONNECTED; } if ((PortObject->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { Msg->PortContext = RundownPort->PortContext; } } Msg->Request.CallbackId = LpcpGenerateCallbackId(); LpcpTrace(( "%s CallBack Request (%s) Msg %lx (%u.%u) [%08x %08x %08x %08x] to Thread %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, LpcpMessageTypeName[ Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE ], Msg, Msg->Request.MessageId, Msg->Request.CallbackId, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), WakeupThread, THREAD_TO_PROCESS( WakeupThread )->ImageFileName )); // // Add an extra reference so LpcExitThread does not evaporate // the pointer before we get to the wait below // ObReferenceObject( WakeupThread ); Msg->RepliedToThread = WakeupThread; WakeupThread->LpcReplyMessageId = 0; WakeupThread->LpcReplyMessage = (PVOID)Msg; // // Remove the thread from the reply rundown list as we are sending a callback // if (!IsListEmpty( &WakeupThread->LpcReplyChain )) { RemoveEntryList( &WakeupThread->LpcReplyChain ); InitializeListHead( &WakeupThread->LpcReplyChain ); } CurrentThread->LpcReplyMessageId = Msg->Request.MessageId; CurrentThread->LpcReplyMessage = NULL; InsertTailList( &RundownPort->LpcReplyChainHead, &CurrentThread->LpcReplyChain ); LpcpSetPortToThread( CurrentThread, PortObject ); if (NoImpersonate) { LpcpSetThreadAttributes(CurrentThread, LPCP_NO_IMPERSONATION); } KeEnterCriticalRegionThread (&CurrentThread->Tcb); LpcpReleaseLpcpLock(); // // Wake up the thread that is waiting for an answer to its request // inside of NtRequestWaitReplyPort or NtReplyWaitReplyPort // ReleaseSemaphore = &WakeupThread->LpcReplySemaphore; } else { // // A callback is not required, so continue setting up the // lpc message // try { LpcpMoveMessage( &Msg->Request, &CapturedRequestMessage, (RequestMessage + 1), MsgType, &CurrentThread->Cid ); if (CapturedRequestMessage.u2.s2.DataInfoOffset != 0) { PPORT_DATA_INFORMATION DataInfo; DataInfo = (PPORT_DATA_INFORMATION)(((PUCHAR)&Msg->Request) + CapturedRequestMessage.u2.s2.DataInfoOffset); if ( DataInfo->CountDataEntries != CapturedDataInfo.CountDataEntries ) { LpcpFreeToPortZone( Msg, 0 ); ObDereferenceObject( PortObject ); return STATUS_INVALID_PARAMETER; } } } except( EXCEPTION_EXECUTE_HANDLER ) { LpcpFreeToPortZone( Msg, 0 ); ObDereferenceObject( PortObject ); return GetExceptionCode(); } // // Acquire the global Lpc mutex that guards the LpcReplyMessage // field of the thread and the request message queue. Stamp the // request message with a serial number, insert the message at // the tail of the request message queue and remember the address // of the message in the LpcReplyMessage field for the current thread. // LpcpAcquireLpcpLockByThread(CurrentThread); Msg->PortContext = NULL; if ((PortObject->Flags & PORT_TYPE) != SERVER_CONNECTION_PORT) { QueuePort = PortObject->ConnectedPort; if (QueuePort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( PortObject ); return STATUS_PORT_DISCONNECTED; } RundownPort = QueuePort; if ((PortObject->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { Msg->PortContext = QueuePort->PortContext; ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( PortObject ); return STATUS_PORT_DISCONNECTED; } } else if ((PortObject->Flags & PORT_TYPE) != SERVER_COMMUNICATION_PORT) { ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( PortObject ); return STATUS_PORT_DISCONNECTED; } } if (ConnectionPort) { ObReferenceObject( ConnectionPort ); } } else { QueuePort = PortObject; RundownPort = PortObject; } // // Stamp the request message with a serial number, insert the message // at the tail of the request message queue // Msg->RepliedToThread = NULL; Msg->Request.MessageId = LpcpGenerateMessageId(); Msg->Request.CallbackId = 0; Msg->SenderPort = PortObject; CurrentThread->LpcReplyMessageId = Msg->Request.MessageId; CurrentThread->LpcReplyMessage = NULL; InsertTailList( &QueuePort->MsgQueue.ReceiveHead, &Msg->Entry ); InsertTailList( &RundownPort->LpcReplyChainHead, &CurrentThread->LpcReplyChain ); LpcpSetPortToThread(CurrentThread, PortObject); if (NoImpersonate) { LpcpSetThreadAttributes(CurrentThread, LPCP_NO_IMPERSONATION); } LpcpTrace(( "%s Send Request (%s) Msg %lx (%u) [%08x %08x %08x %08x] to Port %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, LpcpMessageTypeName[ Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE ], Msg, Msg->Request.MessageId, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), QueuePort, LpcpGetCreatorName( QueuePort ))); KeEnterCriticalRegionThread (&CurrentThread->Tcb); LpcpReleaseLpcpLock(); // // Increment the request message queue semaphore by one for // the newly inserted request message. // ReleaseSemaphore = QueuePort->MsgQueue.Semaphore; // // If port is waitable then set the event that someone could // be waiting on // if ( QueuePort->Flags & PORT_WAITABLE ) { KeSetEvent( &QueuePort->WaitEvent, LPC_RELEASE_WAIT_INCREMENT, FALSE ); } } // // At this point we've enqueued our request and if necessary // set ourselves up for the callback or reply. // // So now wake up the other end // Status = KeReleaseSemaphore( ReleaseSemaphore, 1, 1, FALSE ); KeLeaveCriticalRegionThread (&CurrentThread->Tcb); if (CallbackRequest) { ObDereferenceObject( WakeupThread ); } // // And wait for a reply // Status = KeWaitForSingleObject( &CurrentThread->LpcReplySemaphore, WrLpcReply, PreviousMode, FALSE, NULL ); if (Status == STATUS_USER_APC) { // // if the semaphore is signaled, then clear it // if (KeReadStateSemaphore( &CurrentThread->LpcReplySemaphore )) { KeWaitForSingleObject( &CurrentThread->LpcReplySemaphore, WrExecutive, KernelMode, FALSE, NULL ); Status = STATUS_SUCCESS; } } // // Acquire the LPC mutex. Remove the reply message from the current thread // LpcpAcquireLpcpLockByThread(CurrentThread); Msg = LpcpGetThreadMessage(CurrentThread); CurrentThread->LpcReplyMessage = NULL; CurrentThread->LpcReplyMessageId = 0; // // Remove the thread from the reply rundown list in case we did not wakeup due to // a reply // if (!IsListEmpty( &CurrentThread->LpcReplyChain )) { RemoveEntryList( &CurrentThread->LpcReplyChain ); InitializeListHead( &CurrentThread->LpcReplyChain ); } #if DBG if (Status == STATUS_SUCCESS && Msg != NULL) { LpcpTrace(( "%s Got Reply Msg %lx (%u) [%08x %08x %08x %08x] for Thread %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, Msg, Msg->Request.MessageId, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), CurrentThread, THREAD_TO_PROCESS( CurrentThread )->ImageFileName )); if (!IsListEmpty( &Msg->Entry )) { LpcpTrace(( "Reply Msg %lx has non-empty list entry\n", Msg )); } } #endif LpcpReleaseLpcpLock(); // // If the wait succeeded, copy the reply to the reply buffer. // if (Status == STATUS_SUCCESS) { if (Msg != NULL) { try { LpcpMoveMessage( ReplyMessage, &Msg->Request, (&Msg->Request) + 1, 0, NULL ); } except( EXCEPTION_EXECUTE_HANDLER ) { Status = GetExceptionCode(); } // // Acquire the LPC mutex and decrement the reference count for the // message. If the reference count goes to zero the message will be // deleted. // if (((Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) == LPC_REQUEST) && (Msg->Request.u2.s2.DataInfoOffset != 0)) { LpcpSaveDataInfoMessage( PortObject, Msg, 0 ); } else { LpcpFreeToPortZone( Msg, 0 ); } } else { Status = STATUS_LPC_REPLY_LOST; } } else { // // Wait failed, free the message if any. // LpcpTrace(( "%s NtRequestWaitReply wait failed - Status == %lx\n", PsGetCurrentProcess()->ImageFileName, Status )); if (Msg != NULL) { LpcpFreeToPortZone( Msg, 0); } } ObDereferenceObject( PortObject ); if (ConnectionPort) { ObDereferenceObject( ConnectionPort ); } // // And return to our caller // return Status; } NTSTATUS LpcRequestPort ( IN PVOID PortAddress, IN PPORT_MESSAGE RequestMessage ) /*++ Routine Description: This procedure is similar to NtRequestPort but without the Handle based interface. Arguments: PortAddress - Supplies a pointer to the communication port to send the request message to. RequestMessage - Specifies a pointer to the request message. The Type field of the message is set to LPC_DATAGRAM by the service. Return Value: NTSTATUS - A status code that indicates whether or not the operation was successful. --*/ { PETHREAD CurrentThread; PLPCP_PORT_OBJECT PortObject = (PLPCP_PORT_OBJECT)PortAddress; PLPCP_PORT_OBJECT QueuePort; ULONG MsgType; PLPCP_MESSAGE Msg; KPROCESSOR_MODE PreviousMode; PLPCP_PORT_OBJECT ConnectionPort = NULL; PAGED_CODE(); // // Get previous processor mode and validate parameters // PreviousMode = KeGetPreviousMode(); if (RequestMessage->u2.s2.Type != 0) { MsgType = RequestMessage->u2.s2.Type & ~LPC_KERNELMODE_MESSAGE; if ((MsgType < LPC_DATAGRAM) || (MsgType > LPC_CLIENT_DIED)) { return STATUS_INVALID_PARAMETER; } // // If previous mode is kernel, allow the LPC_KERNELMODE_MESSAGE // bit to be passed in message type field. // if ((PreviousMode == KernelMode) && (RequestMessage->u2.s2.Type & LPC_KERNELMODE_MESSAGE)) { MsgType |= LPC_KERNELMODE_MESSAGE; } } else { MsgType = LPC_DATAGRAM; } if (RequestMessage->u2.s2.DataInfoOffset != 0) { return STATUS_INVALID_PARAMETER; } // // Validate the message length // if (((ULONG)RequestMessage->u1.s1.TotalLength > PortObject->MaxMessageLength) || ((ULONG)RequestMessage->u1.s1.TotalLength <= (ULONG)RequestMessage->u1.s1.DataLength)) { return STATUS_PORT_MESSAGE_TOO_LONG; } // // Allocate a message block // Msg = (PLPCP_MESSAGE)LpcpAllocateFromPortZone( RequestMessage->u1.s1.TotalLength ); if (Msg == NULL) { return STATUS_NO_MEMORY; } // // Fill in the message block. // Msg->RepliedToThread = NULL; Msg->PortContext = NULL; CurrentThread = PsGetCurrentThread(); LpcpMoveMessage( &Msg->Request, RequestMessage, (RequestMessage + 1), MsgType, &CurrentThread->Cid ); // // Acquire the global Lpc mutex that guards the LpcReplyMessage // field of the thread and the request message queue. Stamp the // request message with a serial number, insert the message at // the tail of the request message queue // LpcpAcquireLpcpLockByThread(CurrentThread); if ((PortObject->Flags & PORT_TYPE) != SERVER_CONNECTION_PORT) { QueuePort = PortObject->ConnectedPort; if (QueuePort != NULL) { if ((PortObject->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { Msg->PortContext = QueuePort->PortContext; ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_PORT_DISCONNECTED; } // // In the case we don't have a CLIENT_COMMUNICATION_PORT nor // SERVER_COMMUNICATION_PORT we'll use the connection port // to queue messages. // } else if ((PortObject->Flags & PORT_TYPE) != SERVER_COMMUNICATION_PORT) { ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_PORT_DISCONNECTED; } } if (ConnectionPort) { ObReferenceObject( ConnectionPort ); } } } else { QueuePort = PortObject; } // // At this point we have an LPC message ready to send and if queue port is // not null then we have a port to actually send the message off to // if (QueuePort != NULL) { Msg->Request.MessageId = LpcpGenerateMessageId(); Msg->Request.CallbackId = 0; Msg->SenderPort = PortObject; CurrentThread->LpcReplyMessageId = 0; InsertTailList( &QueuePort->MsgQueue.ReceiveHead, &Msg->Entry ); LpcpTrace(( "%s Send DataGram (%s) Msg %lx [%08x %08x %08x %08x] to Port %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, LpcpMessageTypeName[ Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE ], Msg, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), QueuePort, LpcpGetCreatorName( QueuePort ))); // // Release the mutex, increment the request message queue // semaphore by one for the newly inserted request message, // then exit the critical region. // // Disable APCs to prevent this thread from being suspended // before being able to release the semaphore. // KeEnterCriticalRegionThread(&CurrentThread->Tcb); LpcpReleaseLpcpLock(); KeReleaseSemaphore( QueuePort->MsgQueue.Semaphore, LPC_RELEASE_WAIT_INCREMENT, 1L, FALSE ); if ( QueuePort->Flags & PORT_WAITABLE ) { KeSetEvent( &QueuePort->WaitEvent, LPC_RELEASE_WAIT_INCREMENT, FALSE ); } KeLeaveCriticalRegionThread(&CurrentThread->Tcb); if (ConnectionPort) { ObDereferenceObject( ConnectionPort ); } return STATUS_SUCCESS; } // // At this point we have a message but not a valid port to queue it off // to so we'll release the unused message and release our mutex. // LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); if (ConnectionPort) { ObDereferenceObject( ConnectionPort ); } // // And return the error status to our caller // return STATUS_PORT_DISCONNECTED; } NTSTATUS LpcpRequestWaitReplyPort ( IN PVOID PortAddress, IN PPORT_MESSAGE RequestMessage, OUT PPORT_MESSAGE ReplyMessage, IN KPROCESSOR_MODE AccessMode ) /*++ Routine Description: This procedure is similar to NtRequestWaitReplyPort but without the handle based interface Arguments: PortAddress - Supplies the communication port object to send the request message to. RequestMessage - Specifies a pointer to a request message to send. ReplyMessage - Specifies the address of a variable that will receive the reply message. This parameter may point to the same buffer as the RequestMessage parameter. Return Value: NTSTATUS - A status code that indicates whether or not the operation was successful. --*/ { PLPCP_PORT_OBJECT PortObject = (PLPCP_PORT_OBJECT)PortAddress; PLPCP_PORT_OBJECT QueuePort; PLPCP_PORT_OBJECT RundownPort; PKSEMAPHORE ReleaseSemaphore; NTSTATUS Status; ULONG MsgType; PLPCP_MESSAGE Msg; PETHREAD CurrentThread; PETHREAD WakeupThread; BOOLEAN CallbackRequest; KPROCESSOR_MODE PreviousMode; PLPCP_PORT_OBJECT ConnectionPort = NULL; PAGED_CODE(); CurrentThread = PsGetCurrentThread(); if (CurrentThread->LpcExitThreadCalled) { return STATUS_THREAD_IS_TERMINATING; } // // Get previous processor mode and validate parameters // PreviousMode = KeGetPreviousMode(); MsgType = RequestMessage->u2.s2.Type & ~LPC_KERNELMODE_MESSAGE; CallbackRequest = FALSE; switch (MsgType) { case 0: MsgType = LPC_REQUEST; break; case LPC_REQUEST: CallbackRequest = TRUE; break; case LPC_CLIENT_DIED: case LPC_PORT_CLOSED: case LPC_EXCEPTION: case LPC_DEBUG_EVENT: case LPC_ERROR_EVENT: break; default : return STATUS_INVALID_PARAMETER; } // // Allow the LPC_KERNELMODE_MESSAGE // bit to be passed in message type field. Don't check the previous mode !!! // if ( RequestMessage->u2.s2.Type & LPC_KERNELMODE_MESSAGE) { MsgType |= LPC_KERNELMODE_MESSAGE; } RequestMessage->u2.s2.Type = (CSHORT)MsgType; // // Validate the message length // if (((ULONG)RequestMessage->u1.s1.TotalLength > PortObject->MaxMessageLength) || ((ULONG)RequestMessage->u1.s1.TotalLength <= (ULONG)RequestMessage->u1.s1.DataLength)) { return STATUS_PORT_MESSAGE_TOO_LONG; } // // Determine which port to queue the message to and get client // port context if client sending to server. Also validate // length of message being sent. // Msg = (PLPCP_MESSAGE)LpcpAllocateFromPortZone( RequestMessage->u1.s1.TotalLength ); if (Msg == NULL) { return STATUS_NO_MEMORY; } if (CallbackRequest) { // // Check for a valid request message id // if (RequestMessage->MessageId == 0) { LpcpFreeToPortZone( Msg, 0 ); return STATUS_INVALID_PARAMETER; } // // Translate the ClientId from the request into a // thread pointer. This is a referenced pointer to keep the thread // from evaporating out from under us. // Status = PsLookupProcessThreadByCid( &RequestMessage->ClientId, NULL, &WakeupThread ); if (!NT_SUCCESS( Status )) { LpcpFreeToPortZone( Msg, 0 ); return Status; } // // Acquire the mutex that guards the LpcReplyMessage field of // the thread and get the pointer to the message that the thread // is waiting for a reply to. // LpcpAcquireLpcpLockByThread(CurrentThread); // // See if the thread is waiting for a reply to the message // specified on this call. If not then a bogus message // has been specified, so release the mutex, dereference the thread // and return failure. // if ((WakeupThread->LpcReplyMessageId != RequestMessage->MessageId) || ((LpcpGetThreadMessage(WakeupThread) != NULL) && (LpcpGetThreadMessage(WakeupThread)->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) != LPC_REQUEST) || (!LpcpValidateClientPort(WakeupThread, PortObject, LPCP_VALIDATE_REASON_REPLY)) ) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( WakeupThread ); return STATUS_REPLY_MESSAGE_MISMATCH; } QueuePort = NULL; Msg->PortContext = NULL; if ((PortObject->Flags & PORT_TYPE) == SERVER_CONNECTION_PORT) { RundownPort = PortObject; } else { RundownPort = PortObject->ConnectedPort; if (RundownPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); ObDereferenceObject( WakeupThread ); return STATUS_PORT_DISCONNECTED; } if ((PortObject->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { Msg->PortContext = RundownPort->PortContext; } } // // Allocate and initialize a request message // LpcpMoveMessage( &Msg->Request, RequestMessage, (RequestMessage + 1), 0, &CurrentThread->Cid ); Msg->Request.CallbackId = LpcpGenerateCallbackId(); LpcpTrace(( "%s CallBack Request (%s) Msg %lx (%u.%u) [%08x %08x %08x %08x] to Thread %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, LpcpMessageTypeName[ Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE ], Msg, Msg->Request.MessageId, Msg->Request.CallbackId, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), WakeupThread, THREAD_TO_PROCESS( WakeupThread )->ImageFileName )); // // Add an extra reference so LpcExitThread does not evaporate // the pointer before we get to the wait below // ObReferenceObject( WakeupThread ); Msg->RepliedToThread = WakeupThread; WakeupThread->LpcReplyMessageId = 0; WakeupThread->LpcReplyMessage = (PVOID)Msg; // // Remove the thread from the reply rundown list as we are sending a callback // if (!IsListEmpty( &WakeupThread->LpcReplyChain )) { RemoveEntryList( &WakeupThread->LpcReplyChain ); InitializeListHead( &WakeupThread->LpcReplyChain ); } CurrentThread->LpcReplyMessageId = Msg->Request.MessageId; CurrentThread->LpcReplyMessage = NULL; InsertTailList( &RundownPort->LpcReplyChainHead, &CurrentThread->LpcReplyChain ); LpcpSetPortToThread(CurrentThread, PortObject); KeEnterCriticalRegionThread (&CurrentThread->Tcb); LpcpReleaseLpcpLock(); // // Wake up the thread that is waiting for an answer to its request // inside of NtRequestWaitReplyPort or NtReplyWaitReplyPort // ReleaseSemaphore = &WakeupThread->LpcReplySemaphore; } else { // // There is no callback requested // LpcpMoveMessage( &Msg->Request, RequestMessage, (RequestMessage + 1), 0, &CurrentThread->Cid ); // // Acquire the global Lpc mutex that guards the LpcReplyMessage // field of the thread and the request message queue. Stamp the // request message with a serial number, insert the message at // the tail of the request message queue and remember the address // of the message in the LpcReplyMessage field for the current thread. // LpcpAcquireLpcpLockByThread(CurrentThread); if ((CurrentThread->LpcReplyMessage != NULL) || (CurrentThread->LpcReplyMessageId != 0) || (CurrentThread->KeyedEventInUse)) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_UNSUCCESSFUL; } Msg->PortContext = NULL; if ((PortObject->Flags & PORT_TYPE) != SERVER_CONNECTION_PORT) { QueuePort = PortObject->ConnectedPort; if (QueuePort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_PORT_DISCONNECTED; } RundownPort = QueuePort; if ((PortObject->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { Msg->PortContext = QueuePort->PortContext; ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_PORT_DISCONNECTED; } } else if ((PortObject->Flags & PORT_TYPE) != SERVER_COMMUNICATION_PORT) { ConnectionPort = QueuePort = PortObject->ConnectionPort; if (ConnectionPort == NULL) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_PORT_DISCONNECTED; } } if (ConnectionPort) { ObReferenceObject( ConnectionPort ); } } else { if ((PortObject->Flags & PORT_NAME_DELETED) != 0) { LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); return STATUS_PORT_DISCONNECTED; } QueuePort = PortObject; RundownPort = PortObject; } Msg->RepliedToThread = NULL; Msg->Request.MessageId = LpcpGenerateMessageId(); Msg->Request.CallbackId = 0; Msg->SenderPort = PortObject; CurrentThread->LpcReplyMessageId = Msg->Request.MessageId; CurrentThread->LpcReplyMessage = NULL; InsertTailList( &QueuePort->MsgQueue.ReceiveHead, &Msg->Entry ); InsertTailList( &RundownPort->LpcReplyChainHead, &CurrentThread->LpcReplyChain ); LpcpSetPortToThread(CurrentThread, PortObject); LpcpTrace(( "%s Send Request (%s) Msg %lx (%u) [%08x %08x %08x %08x] to Port %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, LpcpMessageTypeName[ Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE ], Msg, Msg->Request.MessageId, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), QueuePort, LpcpGetCreatorName( QueuePort ))); KeEnterCriticalRegionThread (&CurrentThread->Tcb); LpcpReleaseLpcpLock(); // // Increment the request message queue semaphore by one for // the newly inserted request message. Release the spin // lock, while remaining at the dispatcher IRQL. Then wait for the // reply to this request by waiting on the LpcReplySemaphore // for the current thread. // ReleaseSemaphore = QueuePort->MsgQueue.Semaphore; if ( QueuePort->Flags & PORT_WAITABLE ) { KeSetEvent( &QueuePort->WaitEvent, LPC_RELEASE_WAIT_INCREMENT, FALSE ); } } // // At this point we've enqueued our request and if necessary // set ourselves up for the callback or reply. // // So now wake up the other end // Status = KeReleaseSemaphore( ReleaseSemaphore, 1, 1, FALSE ); KeLeaveCriticalRegionThread (&CurrentThread->Tcb); if (CallbackRequest) { ObDereferenceObject( WakeupThread ); } // // And wait for a reply // Status = KeWaitForSingleObject( &CurrentThread->LpcReplySemaphore, WrLpcReply, AccessMode, FALSE, NULL ); if (Status == STATUS_USER_APC) { // // if the semaphore is signaled, then clear it // if (KeReadStateSemaphore( &CurrentThread->LpcReplySemaphore )) { KeWaitForSingleObject( &CurrentThread->LpcReplySemaphore, WrExecutive, KernelMode, FALSE, NULL ); Status = STATUS_SUCCESS; } } // // Acquire the LPC mutex. Remove the reply message from the current thread // LpcpAcquireLpcpLockByThread(CurrentThread); Msg = LpcpGetThreadMessage(CurrentThread); CurrentThread->LpcReplyMessage = NULL; CurrentThread->LpcReplyMessageId = 0; // // Remove the thread from the reply rundown list in case we did not wakeup due to // a reply // if (!IsListEmpty( &CurrentThread->LpcReplyChain )) { RemoveEntryList( &CurrentThread->LpcReplyChain ); InitializeListHead( &CurrentThread->LpcReplyChain ); } #if DBG if (Msg != NULL) { LpcpTrace(( "%s Got Reply Msg %lx (%u) [%08x %08x %08x %08x] for Thread %lx (%s)\n", PsGetCurrentProcess()->ImageFileName, Msg, Msg->Request.MessageId, *((PULONG)(Msg+1)+0), *((PULONG)(Msg+1)+1), *((PULONG)(Msg+1)+2), *((PULONG)(Msg+1)+3), CurrentThread, THREAD_TO_PROCESS( CurrentThread )->ImageFileName )); } #endif LpcpReleaseLpcpLock(); // // If the wait succeeded, copy the reply to the reply buffer. // if (Status == STATUS_SUCCESS) { if (Msg != NULL) { LpcpMoveMessage( ReplyMessage, &Msg->Request, (&Msg->Request) + 1, 0, NULL ); // // Acquire the LPC mutex and decrement the reference count for the // message. If the reference count goes to zero the message will be // deleted. // LpcpAcquireLpcpLockByThread(CurrentThread); if (Msg->RepliedToThread != NULL) { ObDereferenceObject( Msg->RepliedToThread ); Msg->RepliedToThread = NULL; } LpcpFreeToPortZone( Msg, LPCP_MUTEX_OWNED | LPCP_MUTEX_RELEASE_ON_RETURN ); } else { Status = STATUS_LPC_REPLY_LOST; } } else { // // Wait failed, free the message if any. // if (Msg != NULL) { LpcpFreeToPortZone( Msg, 0 ); } } if (ConnectionPort) { ObDereferenceObject( ConnectionPort ); } // // And return to our caller // return Status; } NTSTATUS LpcRequestWaitReplyPort ( IN PVOID PortAddress, IN PPORT_MESSAGE RequestMessage, OUT PPORT_MESSAGE ReplyMessage ) { return LpcpRequestWaitReplyPort( PortAddress, RequestMessage, ReplyMessage, KernelMode ); } NTSTATUS LpcRequestWaitReplyPortEx ( IN PVOID PortAddress, IN PPORT_MESSAGE RequestMessage, OUT PPORT_MESSAGE ReplyMessage ) { return LpcpRequestWaitReplyPort( PortAddress, RequestMessage, ReplyMessage, KeGetPreviousMode() ); }