From 02ed704be1ee68625b264fbe24364b1a78ae5cd5 Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Mon, 2 Apr 2007 20:24:55 +0200
Subject: [PATCH] server: Check file access in register_async before calling
 the object method.

---
 server/fd.c       | 31 ++++++++++++++++---------------
 server/mailslot.c | 11 ++---------
 2 files changed, 18 insertions(+), 24 deletions(-)

diff --git a/server/fd.c b/server/fd.c
index ffaf404edbe..e8737017cef 100644
--- a/server/fd.c
+++ b/server/fd.c
@@ -1728,8 +1728,7 @@ int fd_queue_async_timeout( struct fd *fd, const async_data_t *data, int type, i
         queue = fd->wait_q;
         break;
     default:
-        set_error( STATUS_INVALID_PARAMETER );
-        return 0;
+        assert(0);
     }
 
     if (!create_async( current, timeout, queue, data )) return 0;
@@ -1946,21 +1945,23 @@ DECL_HANDLER(unmount_device)
 /* create / reschedule an async I/O */
 DECL_HANDLER(register_async)
 {
-    struct fd *fd = get_handle_fd_obj( current->process, req->handle, 0 );
+    unsigned int access;
+    struct fd *fd;
 
-    /*
-     * The queue_async method must do the following:
-     *
-     * 1. Get the async_queue for the request of given type.
-     * 2. Create a new asynchronous request for the selected queue
-     * 3. Carry out any operations necessary to adjust the object's poll events
-     *    Usually: set_elect_events (obj, obj->ops->get_poll_events()).
-     * 4. When the async request is triggered, then send back (with a proper APC)
-     *    the trigger (STATUS_ALERTED) to the thread that posted the request.
-     * See also the implementations in file.c, serial.c, and sock.c.
-     */
+    switch(req->type)
+    {
+    case ASYNC_TYPE_READ:
+        access = FILE_READ_DATA;
+        break;
+    case ASYNC_TYPE_WRITE:
+        access = FILE_WRITE_DATA;
+        break;
+    default:
+        set_error( STATUS_INVALID_PARAMETER );
+        return;
+    }
 
-    if (fd)
+    if ((fd = get_handle_fd_obj( current->process, req->handle, access )))
     {
         fd->fd_ops->queue_async( fd, &req->async, req->type, req->count );
         release_object( fd );
diff --git a/server/mailslot.c b/server/mailslot.c
index bd637f2a6df..d9716fe9223 100644
--- a/server/mailslot.c
+++ b/server/mailslot.c
@@ -236,10 +236,9 @@ static struct fd *mailslot_get_fd( struct object *obj )
 
 static unsigned int mailslot_map_access( struct object *obj, unsigned int access )
 {
+    /* mailslots can only be read */
     if (access & GENERIC_READ)    access |= FILE_GENERIC_READ;
-    if (access & GENERIC_WRITE)   access |= FILE_GENERIC_WRITE;
-    if (access & GENERIC_EXECUTE) access |= FILE_GENERIC_EXECUTE;
-    if (access & GENERIC_ALL)     access |= FILE_ALL_ACCESS;
+    if (access & GENERIC_ALL)     access |= FILE_GENERIC_READ;
     return access & ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL);
 }
 
@@ -286,12 +285,6 @@ static void mailslot_queue_async( struct fd *fd, const async_data_t *data, int t
 
     assert(mailslot->obj.ops == &mailslot_ops);
 
-    if (type != ASYNC_TYPE_READ)
-    {
-        set_error(STATUS_INVALID_PARAMETER);
-        return;
-    }
-
     if (list_empty( &mailslot->writers ) ||
         !mailslot_message_count( mailslot ))
     {