Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
53,171
Description
In tests (and other things) involving RPC calls, we often see:
- HEAP: Trying to free an invalid address XXXXXXXX!
- we got fault packet with status 0x3e6
and possibly other failures.
We use -Oif when generating server & client stubs with widl since r53171. Wine does not use that flag, so they get different stubs, which exercise different code paths.
When -Oif is enabled, there is a use-after-free condition in rpcrt4 where the conformance/variance check on an array can reference parameters that have already been freed. For example:
85 /* Lookup entries in an endpoint map using the given input pattern */
|
86 [idempotent]
|
87 void ept_map(
|
88 [in] handle_t h,
|
89 [in] uuid_p_t object,
|
90 [in] twr_p_t map_tower,
|
91 [in, out] ept_lookup_handle_t *entry_handle,
|
92 [in] unsigned32 max_towers,
|
93 [out] unsigned32 *num_towers,
|
94 [out, length_is(*num_towers), size_is(max_towers)]
|
95 twr_p_t *towers,
|
96 [out] error_status_t *status
|
97 );
|
Parameter buffers are freed in order, so the buffer for max_towers will be freed in the STUBLESS_FREE stage of the RPC call (server side) before the towers parameter. However, on free of towers, it's conformance (max_towers) and variance (*num_towers) are checked, which will cause an access to the already freed memory at *num_towers.
This is a bug in Wine's rpcrt4, and that should be fixed; but I currently don't know how. In any case, by using -Oif with widl we are just asking for trouble because Wine does not use this flag, hence the relevant code in rpcrt4 is not well tested. This sacrifices application compatibility and general system stability just because we want to use a more modern RPC mechanism – which is not an acceptable trade-off.
http://svn.reactos.org/svn/reactos?view=revision&revision=53171
Attachments
Issue Links
- relates to
-
-
- Resolved
-
- links to