1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//
// File: ComCallUnmarshal.cpp
//
//
// Classes used to unmarshal all COM call wrapper IPs.
//
#include "stdafx.h" // Standard header.
#ifdef FEATURE_COMINTEROP
#include "ComCallUnmarshal.h"
#include <utilcode.h> // Utility helpers.
// For free-threaded marshaling, we must not be spoofed by out-of-process or cross-runtime marshal data.
// Only unmarshal data that comes from our own runtime.
extern BYTE g_UnmarshalSecret[sizeof(GUID)];
extern bool g_fInitedUnmarshalSecret;
STDMETHODIMP ComCallUnmarshal::QueryInterface(REFIID iid, void **ppv)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
SO_TOLERANT;
PRECONDITION(CheckPointer(ppv, NULL_OK));
} CONTRACTL_END;
if (!ppv)
return E_POINTER;
*ppv = NULL;
if (iid == IID_IUnknown)
{
*ppv = (IUnknown *)this;
AddRef();
} else if (iid == IID_IMarshal)
{
*ppv = (IMarshal *)this;
AddRef();
}
return (*ppv != NULL) ? S_OK : E_NOINTERFACE;
}
STDMETHODIMP_(ULONG) ComCallUnmarshal::AddRef(void)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
return 2;
}
STDMETHODIMP_(ULONG) ComCallUnmarshal::Release(void)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
return 1;
}
STDMETHODIMP ComCallUnmarshal::GetUnmarshalClass (REFIID riid, void * pv, ULONG dwDestContext,
void * pvDestContext, ULONG mshlflags,
LPCLSID pclsid)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
// Marshal side only.
_ASSERTE(FALSE);
return E_NOTIMPL;
}
STDMETHODIMP ComCallUnmarshal::GetMarshalSizeMax (REFIID riid, void * pv, ULONG dwDestContext,
void * pvDestContext, ULONG mshlflags,
ULONG * pSize)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
// Marshal side only.
_ASSERTE(FALSE);
return E_NOTIMPL;
}
STDMETHODIMP ComCallUnmarshal::MarshalInterface (LPSTREAM pStm, REFIID riid, void * pv,
ULONG dwDestContext, LPVOID pvDestContext,
ULONG mshlflags)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
// Marshal side only.
_ASSERTE(FALSE);
return E_NOTIMPL;
}
STDMETHODIMP ComCallUnmarshal::UnmarshalInterface (LPSTREAM pStm, REFIID riid, void ** ppvObj)
{
CONTRACTL {
NOTHROW;
GC_NOTRIGGER;
SO_TOLERANT;;
STATIC_CONTRACT_MODE_PREEMPTIVE;
PRECONDITION(CheckPointer(pStm));
PRECONDITION(CheckPointer(ppvObj));
} CONTRACTL_END;
ULONG bytesRead;
ULONG mshlflags;
HRESULT hr = E_FAIL;
BEGIN_SO_INTOLERANT_CODE_NO_THROW_CHECK_THREAD(return COR_E_STACKOVERFLOW);
// The marshal code added a reference to the object, but we return a
// reference to the object as well, so don't change the ref count on the
// success path. Need to release on error paths though (if we manage to
// retrieve the IP, that is). If the interface was marshalled
// TABLESTRONG or TABLEWEAK, there is going to be a ReleaseMarshalData
// in the future, so we should AddRef the IP we're about to give out.
// Note also that OLE32 requires us to advance the stream pointer even
// in failure cases.
// Read the raw IP out of the marshalling stream.
hr = pStm->Read (ppvObj, sizeof (void *), &bytesRead);
if (FAILED (hr) || (bytesRead != sizeof (void *)))
IfFailGo(RPC_E_INVALID_DATA);
// And then the marshal flags.
hr = pStm->Read (&mshlflags, sizeof (ULONG), &bytesRead);
if (FAILED (hr) || (bytesRead != sizeof (ULONG)))
IfFailGo(RPC_E_INVALID_DATA);
// And then verify our secret, to be sure that cross-runtime clients aren't
// trying to trick us into mis-interpreting their data as a ppvObj. Note that
// it is guaranteed that the secret data is initialized, or else we certainly
// haven't written it into this buffer!
if (!g_fInitedUnmarshalSecret)
IfFailGo(E_UNEXPECTED);
BYTE secret[sizeof(GUID)];
hr = pStm->Read(secret, sizeof(secret), &bytesRead);
if (FAILED(hr) || (bytesRead != sizeof(secret)))
IfFailGo(RPC_E_INVALID_DATA);
if (memcmp(g_UnmarshalSecret, secret, sizeof(secret)) != 0)
IfFailGo(E_UNEXPECTED);
if (ppvObj && ((mshlflags == MSHLFLAGS_TABLESTRONG) || (mshlflags == MSHLFLAGS_TABLEWEAK)))
{
// For table access we can just QI for the correct interface (this
// will addref the IP, but that's OK since we need to keep an extra
// ref on the IP until ReleaseMarshalData is called).
hr = ((IUnknown *)*ppvObj)->QueryInterface(riid, ppvObj);
}
else
{
// For normal access we QI for the correct interface then release
// the old IP.
NonVMComHolder<IUnknown> pOldUnk = (IUnknown *)*ppvObj;
hr = pOldUnk->QueryInterface(riid, ppvObj);
}
ErrExit:
;
END_SO_INTOLERANT_CODE;
return hr;
}
STDMETHODIMP ComCallUnmarshal::ReleaseMarshalData (LPSTREAM pStm)
{
CONTRACTL {
NOTHROW;
GC_NOTRIGGER;
STATIC_CONTRACT_MODE_PREEMPTIVE;
SO_TOLERANT;
PRECONDITION(CheckPointer(pStm));
} CONTRACTL_END;
IUnknown *pUnk;
ULONG bytesRead;
ULONG mshlflags;
HRESULT hr = S_OK;
if (!pStm)
return E_POINTER;
BEGIN_SO_INTOLERANT_CODE_NO_THROW_CHECK_THREAD(return COR_E_STACKOVERFLOW);
// Read the raw IP out of the marshalling stream. Do this first since we
// need to update the stream pointer even in case of failures.
hr = pStm->Read (&pUnk, sizeof (pUnk), &bytesRead);
if (FAILED (hr) || (bytesRead != sizeof (pUnk)))
IfFailGo(RPC_E_INVALID_DATA);
// Now read the marshal flags.
hr = pStm->Read (&mshlflags, sizeof (mshlflags), &bytesRead);
if (FAILED (hr) || (bytesRead != sizeof (mshlflags)))
IfFailGo(RPC_E_INVALID_DATA);
if (!g_fInitedUnmarshalSecret)
{
IfFailGo(E_UNEXPECTED);
}
BYTE secret[sizeof(GUID)];
hr = pStm->Read(secret, sizeof(secret), &bytesRead);
if (FAILED(hr) || (bytesRead != sizeof(secret)))
IfFailGo(RPC_E_INVALID_DATA);
if (memcmp(g_UnmarshalSecret, secret, sizeof(secret)) != 0)
IfFailGo(E_UNEXPECTED);
pUnk->Release ();
ErrExit:
;
END_SO_INTOLERANT_CODE;
return hr;
}
STDMETHODIMP ComCallUnmarshal::DisconnectObject (ULONG dwReserved)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
// Nothing we can (or need to) do here. The client is using a raw IP to
// access this server, so the server shouldn't go away until the client
// Release()'s it.
return S_OK;
}
CComCallUnmarshalFactory::CComCallUnmarshalFactory()
{
WRAPPER_NO_CONTRACT;
}
STDMETHODIMP CComCallUnmarshalFactory::QueryInterface(REFIID iid, void **ppv)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
SO_TOLERANT;
PRECONDITION(CheckPointer(ppv));
} CONTRACTL_END;
if (!ppv)
return E_POINTER;
*ppv = NULL;
if (iid == IID_IClassFactory || iid == IID_IUnknown) {
*ppv = (IClassFactory *)this;
AddRef();
}
return (*ppv != NULL) ? S_OK : E_NOINTERFACE;
}
STDMETHODIMP_(ULONG) CComCallUnmarshalFactory::AddRef(void)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
return 2;
}
STDMETHODIMP_(ULONG) CComCallUnmarshalFactory::Release(void)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
return 1;
}
STDMETHODIMP CComCallUnmarshalFactory::CreateInstance(LPUNKNOWN punkOuter, REFIID iid, LPVOID FAR *ppv)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
SO_TOLERANT;
PRECONDITION(CheckPointer(ppv));
} CONTRACTL_END;
if (!ppv)
return E_POINTER;
*ppv = NULL;
if (punkOuter != NULL)
return CLASS_E_NOAGGREGATION;
return m_Unmarshaller.QueryInterface(iid, ppv);
}
STDMETHODIMP CComCallUnmarshalFactory::LockServer(BOOL fLock)
{
LIMITED_METHOD_CONTRACT;
STATIC_CONTRACT_SO_TOLERANT;
return S_OK;
}
#endif // FEATURE_COMINTEROP
|
