[ros-dev] Crash

Fri Jan 19 23:39:17 CET 2007

// ntoskrnl/lpc/send.c
NtRequestWaitReplyPort(...)
{
     ...
     if (Callback)
     {
         ...
     }
     else
     {
         ...
         Thread->LpcReplyMessage = NULL;
         ...
     }
     ...
     LpcpReplyWait(...);  // now Status == STATUS_USER_APC
     ...
     Message = Thread->LpcReplyMessage;
     ...
     if (Status == STATUS_SUCCESS)
     {
         ...
     }
     else
     {
         ...
         LpcpFreeToPortZone(Message, TRUE);
         ...
     }
     ...
}

// ntoskrnl/lpc/close.c
LpcpFreeToPortZone(...)
{
     ...
     if (!IsListEmpty(&Message->Entry)) // crash
     {
         ...
     }
     ...
}

// ntoskrnl/include/internal/lpc_x.h
#define LpcpReplyWait(s, w) \
{ \
     ... \
     Status = KeWaitForSingleObject(...); \
     ... \
}