1
/*
2
 * Copyright 2001  Ove Kåven, TransGaming Technologies
3
 * Copyright 2002  Marcus Meissner
4
 * Copyright 2005  Mike Hearn, Rob Shearman for CodeWeavers
5
 *
6
 * This library is free software; you can redistribute it and/or
7
 * modify it under the terms of the GNU Lesser General Public
8
 * License as published by the Free Software Foundation; either
9
 * version 2.1 of the License, or (at your option) any later version.
10
 *
11
 * This library is distributed in the hope that it will be useful,
12
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14
 * Lesser General Public License for more details.
15
 *
16
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library; if not, write to the Free Software
18
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19
 */
20

21
#include <stdarg.h>
22

23
#define COBJMACROS
24

25
#include "windef.h"
26
#include "winbase.h"
27
#include "winsvc.h"
28
#include "servprov.h"
29

30
#include "wine/debug.h"
31
#include "wine/exception.h"
32

33
#include "combase_private.h"
34

35
#include "irpcss.h"
36

37
WINE_DEFAULT_DEBUG_CHANNEL(ole);
38

39
static void __RPC_STUB dispatch_rpc(RPC_MESSAGE *msg);
40

41
/* we only use one function to dispatch calls for all methods - we use the
42
 * RPC_IF_OLE flag to tell the RPC runtime that this is the case */
43
static RPC_DISPATCH_FUNCTION rpc_dispatch_table[1] = { dispatch_rpc }; /* (RO) */
44
static RPC_DISPATCH_TABLE rpc_dispatch = { 1, rpc_dispatch_table }; /* (RO) */
45

46
static struct list registered_interfaces = LIST_INIT(registered_interfaces); /* (CS csRegIf) */
47
static CRITICAL_SECTION csRegIf;
48
static CRITICAL_SECTION_DEBUG csRegIf_debug =
49
{
50
    0, 0, &csRegIf,
51
    { &csRegIf_debug.ProcessLocksList, &csRegIf_debug.ProcessLocksList },
52
      0, 0, { (DWORD_PTR)(__FILE__ ": dcom registered server interfaces") }
53
};
54
static CRITICAL_SECTION csRegIf = { &csRegIf_debug, -1, 0, 0, 0, 0 };
55

56
static struct list channel_hooks = LIST_INIT(channel_hooks); /* (CS csChannelHook) */
57
static CRITICAL_SECTION csChannelHook;
58
static CRITICAL_SECTION_DEBUG csChannelHook_debug =
59
{
60
    0, 0, &csChannelHook,
61
    { &csChannelHook_debug.ProcessLocksList, &csChannelHook_debug.ProcessLocksList },
62
      0, 0, { (DWORD_PTR)(__FILE__ ": channel hooks") }
63
};
64
static CRITICAL_SECTION csChannelHook = { &csChannelHook_debug, -1, 0, 0, 0, 0 };
65

66
static WCHAR rpctransportW[] = L"ncalrpc";
67

68
struct registered_if
69
{
70
    struct list entry;
71
    DWORD refs; /* ref count */
72
    RPC_SERVER_INTERFACE If; /* interface registered with the RPC runtime */
73
};
74

75
/* get the pipe endpoint specified of the specified apartment */
76
static inline void get_rpc_endpoint(LPWSTR endpoint, const OXID *oxid)
77
{
78
    /* FIXME: should get endpoint from rpcss */
79
    wsprintfW(endpoint, L"\\pipe\\OLE_%016I64x", *oxid);
80
}
81

82
typedef struct
83
{
84
    IRpcChannelBuffer IRpcChannelBuffer_iface;
85
    LONG refs;
86

87
    DWORD dest_context; /* returned from GetDestCtx */
88
    void *dest_context_data; /* returned from GetDestCtx */
89
} RpcChannelBuffer;
90

91
typedef struct
92
{
93
    RpcChannelBuffer       super; /* superclass */
94

95
    RPC_BINDING_HANDLE     bind; /* handle to the remote server */
96
    OXID                   oxid; /* apartment in which the channel is valid */
97
    DWORD                  server_pid; /* id of server process */
98
    HANDLE                 event; /* cached event handle */
99
    IID                    iid; /* IID of the proxy this belongs to */
100
} ClientRpcChannelBuffer;
101

102
struct dispatch_params
103
{
104
    RPCOLEMESSAGE     *msg; /* message */
105
    IRpcStubBuffer    *stub; /* stub buffer, if applicable */
106
    IRpcChannelBuffer *chan; /* server channel buffer, if applicable */
107
    IID                iid; /* ID of interface being called */
108
    IUnknown          *iface; /* interface being called */
109
    HANDLE             handle; /* handle that will become signaled when call finishes */
110
    BOOL               bypass_rpcrt; /* bypass RPC runtime? */
111
    RPC_STATUS         status; /* status (out) */
112
    HRESULT            hr; /* hresult (out) */
113
};
114

115
struct message_state
116
{
117
    RPC_BINDING_HANDLE binding_handle;
118
    ULONG prefix_data_len;
119
    SChannelHookCallInfo channel_hook_info;
120
    BOOL bypass_rpcrt;
121

122
    /* client only */
123
    HWND target_hwnd;
124
    DWORD target_tid;
125
    struct dispatch_params params;
126
};
127

128
typedef struct
129
{
130
    ULONG conformance; /* NDR */
131
    GUID id;
132
    ULONG size;
133
    /* [size_is((size+7)&~7)] */ unsigned char data[1];
134
} WIRE_ORPC_EXTENT;
135

136
typedef struct
137
{
138
    ULONG size;
139
    ULONG reserved;
140
    unsigned char extent[1];
141
} WIRE_ORPC_EXTENT_ARRAY;
142

143
typedef struct
144
{
145
    ULONG version;
146
    ULONG flags;
147
    ULONG reserved1;
148
    GUID  cid;
149
    unsigned char extensions[1];
150
} WIRE_ORPCTHIS;
151

152
typedef struct
153
{
154
    ULONG flags;
155
    unsigned char extensions[1];
156
} WIRE_ORPCTHAT;
157

158
struct channel_hook_entry
159
{
160
    struct list entry;
161
    GUID id;
162
    IChannelHook *hook;
163
};
164

165
struct channel_hook_buffer_data
166
{
167
    GUID id;
168
    ULONG extension_size;
169
};
170
void * __RPC_USER MIDL_user_allocate(SIZE_T size)
171
{
172
    return malloc(size);
173
}
174

175
void __RPC_USER MIDL_user_free(void *p)
176
{
177
    free(p);
178
}
179

180
static LONG WINAPI rpc_filter(EXCEPTION_POINTERS *eptr)
181
{
182
    return I_RpcExceptionFilter(eptr->ExceptionRecord->ExceptionCode);
183
}
184

185
static BOOL start_rpcss(void)
186
{
187
    SERVICE_STATUS_PROCESS status;
188
    SC_HANDLE scm, service;
189
    BOOL ret = FALSE;
190

191
    TRACE("\n");
192

193
    if (!(scm = OpenSCManagerW(NULL, NULL, 0)))
194
    {
195
        ERR("Failed to open service manager\n");
196
        return FALSE;
197
    }
198

199
    if (!(service = OpenServiceW(scm, L"RpcSs", SERVICE_START | SERVICE_QUERY_STATUS)))
200
    {
201
        ERR("Failed to open RpcSs service\n");
202
        CloseServiceHandle( scm );
203
        return FALSE;
204
    }
205

206
    if (StartServiceW(service, 0, NULL) || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
207
    {
208
        ULONGLONG start_time = GetTickCount64();
209
        do
210
        {
211
            DWORD dummy;
212

213
            if (!QueryServiceStatusEx(service, SC_STATUS_PROCESS_INFO, (BYTE *)&status, sizeof(status), &dummy))
214
                break;
215
            if (status.dwCurrentState == SERVICE_RUNNING)
216
            {
217
                ret = TRUE;
218
                break;
219
            }
220
            if (GetTickCount64() - start_time > 30000) break;
221
            Sleep( 100 );
222

223
        } while (status.dwCurrentState == SERVICE_START_PENDING);
224

225
        if (status.dwCurrentState != SERVICE_RUNNING)
226
            WARN("RpcSs failed to start %lu\n", status.dwCurrentState);
227
    }
228
    else
229
        ERR("Failed to start RpcSs service\n");
230

231
    CloseServiceHandle(service);
232
    CloseServiceHandle(scm);
233
    return ret;
234
}
235

236
static RPC_BINDING_HANDLE get_rpc_handle(unsigned short *protseq, unsigned short *endpoint)
237
{
238
    RPC_BINDING_HANDLE handle = NULL;
239
    RPC_STATUS status;
240
    RPC_WSTR binding;
241

242
    status = RpcStringBindingComposeW(NULL, protseq, NULL, endpoint, NULL, &binding);
243
    if (status == RPC_S_OK)
244
    {
245
        status = RpcBindingFromStringBindingW(binding, &handle);
246
        RpcStringFreeW(&binding);
247
    }
248

249
    return handle;
250
}
251

252
static RPC_BINDING_HANDLE get_irpcss_handle(void)
253
{
254
    static RPC_BINDING_HANDLE irpcss_handle;
255

256
    if (!irpcss_handle)
257
    {
258
        unsigned short protseq[] = IRPCSS_PROTSEQ;
259
        unsigned short endpoint[] = IRPCSS_ENDPOINT;
260

261
        RPC_BINDING_HANDLE new_handle = get_rpc_handle(protseq, endpoint);
262
        if (InterlockedCompareExchangePointer(&irpcss_handle, new_handle, NULL))
263
            /* another thread beat us to it */
264
            RpcBindingFree(&new_handle);
265
    }
266
    return irpcss_handle;
267
}
268

269
static RPC_BINDING_HANDLE get_irot_handle(void)
270
{
271
    static RPC_BINDING_HANDLE irot_handle;
272

273
    if (!irot_handle)
274
    {
275
        unsigned short protseq[] = IROT_PROTSEQ;
276
        unsigned short endpoint[] = IROT_ENDPOINT;
277

278
        RPC_BINDING_HANDLE new_handle = get_rpc_handle(protseq, endpoint);
279
        if (InterlockedCompareExchangePointer(&irot_handle, new_handle, NULL))
280
            /* another thread beat us to it */
281
            RpcBindingFree(&new_handle);
282
    }
283
    return irot_handle;
284
}
285

286
#define RPCSS_CALL_START \
287
    HRESULT hr; \
288
    for (;;) { \
289
        __TRY {
290

291
#define RPCSS_CALL_END \
292
        } __EXCEPT(rpc_filter) { \
293
            hr = HRESULT_FROM_WIN32(GetExceptionCode()); \
294
        } \
295
        __ENDTRY \
296
        if (hr == HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE)) { \
297
            if (start_rpcss()) \
298
                continue; \
299
        } \
300
        break; \
301
    } \
302
    return hr;
303

304
HRESULT rpcss_get_next_seqid(DWORD *id)
305
{
306
    RPCSS_CALL_START
307
    hr = irpcss_get_thread_seq_id(get_irpcss_handle(), id);
308
    RPCSS_CALL_END
309
}
310

311
HRESULT WINAPI InternalIrotRegister(const MonikerComparisonData *moniker_data,
312
        const InterfaceData *object, const InterfaceData *moniker,
313
        const FILETIME *time, DWORD flags, IrotCookie *cookie, IrotContextHandle *ctxt_handle)
314
{
315
    RPCSS_CALL_START
316
    hr = IrotRegister(get_irot_handle(), moniker_data, object, moniker, time, flags, cookie, ctxt_handle);
317
    RPCSS_CALL_END
318
}
319

320
HRESULT WINAPI InternalIrotIsRunning(const MonikerComparisonData *moniker_data)
321
{
322
    RPCSS_CALL_START
323
    hr = IrotIsRunning(get_irot_handle(), moniker_data);
324
    RPCSS_CALL_END
325
}
326

327
HRESULT WINAPI InternalIrotGetObject(const MonikerComparisonData *moniker_data, PInterfaceData *obj,
328
        IrotCookie *cookie)
329
{
330
    RPCSS_CALL_START
331
    hr = IrotGetObject(get_irot_handle(), moniker_data, obj, cookie);
332
    RPCSS_CALL_END
333
}
334

335
HRESULT WINAPI InternalIrotNoteChangeTime(IrotCookie cookie, const FILETIME *time)
336
{
337
    RPCSS_CALL_START
338
    hr = IrotNoteChangeTime(get_irot_handle(), cookie, time);
339
    RPCSS_CALL_END
340
}
341

342
HRESULT WINAPI InternalIrotGetTimeOfLastChange(const MonikerComparisonData *moniker_data, FILETIME *time)
343
{
344
    RPCSS_CALL_START
345
    hr = IrotGetTimeOfLastChange(get_irot_handle(), moniker_data, time);
346
    RPCSS_CALL_END
347
}
348

349
HRESULT WINAPI InternalIrotEnumRunning(PInterfaceList *list)
350
{
351
    RPCSS_CALL_START
352
    hr = IrotEnumRunning(get_irot_handle(), list);
353
    RPCSS_CALL_END
354
}
355

356
HRESULT WINAPI InternalIrotRevoke(IrotCookie cookie, IrotContextHandle *ctxt_handle, PInterfaceData *object,
357
        PInterfaceData *moniker)
358
{
359
    RPCSS_CALL_START
360
    hr = IrotRevoke(get_irot_handle(), cookie, ctxt_handle, object, moniker);
361
    RPCSS_CALL_END
362
}
363

364
static HRESULT rpcss_server_register(REFCLSID clsid, DWORD flags, MInterfacePointer *obj, unsigned int *cookie)
365
{
366
    RPCSS_CALL_START
367
    hr = irpcss_server_register(get_irpcss_handle(), clsid, flags, obj, cookie);
368
    RPCSS_CALL_END
369
}
370

371
HRESULT rpc_revoke_local_server(unsigned int cookie)
372
{
373
    RPCSS_CALL_START
374
    hr = irpcss_server_revoke(get_irpcss_handle(), cookie);
375
    RPCSS_CALL_END
376
}
377

378
static HRESULT rpcss_get_class_object(REFCLSID rclsid, PMInterfacePointer *objref)
379
{
380
    RPCSS_CALL_START
381
    hr = irpcss_get_class_object(get_irpcss_handle(), rclsid, objref);
382
    RPCSS_CALL_END
383
}
384

385
static DWORD start_local_service(const WCHAR *name, DWORD num, LPCWSTR *params)
386
{
387
    SC_HANDLE handle, hsvc;
388
    DWORD r = ERROR_FUNCTION_FAILED;
389

390
    TRACE("Starting service %s %ld params\n", debugstr_w(name), num);
391

392
    handle = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
393
    if (!handle)
394
        return r;
395
    hsvc = OpenServiceW(handle, name, SERVICE_START);
396
    if (hsvc)
397
    {
398
        if(StartServiceW(hsvc, num, params))
399
            r = ERROR_SUCCESS;
400
        else
401
            r = GetLastError();
402
        if (r == ERROR_SERVICE_ALREADY_RUNNING)
403
            r = ERROR_SUCCESS;
404
        CloseServiceHandle(hsvc);
405
    }
406
    else
407
        r = GetLastError();
408
    CloseServiceHandle(handle);
409

410
    TRACE("StartService returned error %lu (%s)\n", r, (r == ERROR_SUCCESS) ? "ok":"failed");
411

412
    return r;
413
}
414

415
/*
416
 * create_local_service()  - start a COM server in a service
417
 *
418
 *   To start a Local Service, we read the AppID value under
419
 * the class's CLSID key, then open the HKCR\\AppId key specified
420
 * there and check for a LocalService value.
421
 *
422
 * Note:  Local Services are not supported under Windows 9x
423
 */
424
static HRESULT create_local_service(REFCLSID rclsid)
425
{
426
    HRESULT hr;
427
    WCHAR buf[CHARS_IN_GUID];
428
    HKEY hkey;
429
    LONG r;
430
    DWORD type, sz;
431

432
    TRACE("Attempting to start Local service for %s\n", debugstr_guid(rclsid));
433

434
    hr = open_appidkey_from_clsid(rclsid, KEY_READ, &hkey);
435
    if (FAILED(hr))
436
        return hr;
437

438
    /* read the LocalService and ServiceParameters values from the AppID key */
439
    sz = sizeof buf;
440
    r = RegQueryValueExW(hkey, L"LocalService", NULL, &type, (LPBYTE)buf, &sz);
441
    if (r == ERROR_SUCCESS && type == REG_SZ)
442
    {
443
        DWORD num_args = 0;
444
        LPWSTR args[1] = { NULL };
445

446
        /*
447
         * FIXME: I'm not really sure how to deal with the service parameters.
448
         *        I suspect that the string returned from RegQueryValueExW
449
         *        should be split into a number of arguments by spaces.
450
         *        It would make more sense if ServiceParams contained a
451
         *        REG_MULTI_SZ here, but it's a REG_SZ for the services
452
         *        that I'm interested in for the moment.
453
         */
454
        r = RegQueryValueExW(hkey, L"ServiceParams", NULL, &type, NULL, &sz);
455
        if (r == ERROR_SUCCESS && type == REG_SZ && sz)
456
        {
457
            args[0] = calloc(1, sz);
458
            num_args++;
459
            RegQueryValueExW(hkey, L"ServiceParams", NULL, &type, (LPBYTE)args[0], &sz);
460
        }
461
        r = start_local_service(buf, num_args, (LPCWSTR *)args);
462
        if (r != ERROR_SUCCESS)
463
            hr = REGDB_E_CLASSNOTREG; /* FIXME: check retval */
464
        free(args[0]);
465
    }
466
    else
467
    {
468
        WARN("No LocalService value\n");
469
        hr = REGDB_E_CLASSNOTREG; /* FIXME: check retval */
470
    }
471
    RegCloseKey(hkey);
472

473
    return hr;
474
}
475

476
static HRESULT create_server(REFCLSID rclsid, HANDLE *process)
477
{
478
    static const WCHAR  embeddingW[] = L" -Embedding";
479
    HKEY                key;
480
    int                 arch = (sizeof(void *) > sizeof(int)) ? 64 : 32;
481
    REGSAM              opposite = (arch == 64) ? KEY_WOW64_32KEY : KEY_WOW64_64KEY;
482
    BOOL                is_wow64 = FALSE, is_opposite = FALSE;
483
    HRESULT             hr;
484
    WCHAR               command[MAX_PATH + ARRAY_SIZE(embeddingW)];
485
    DWORD               size = (MAX_PATH+1) * sizeof(WCHAR);
486
    STARTUPINFOW        sinfo;
487
    PROCESS_INFORMATION pinfo;
488
    LONG ret;
489

490
    TRACE("Attempting to start server for %s\n", debugstr_guid(rclsid));
491

492
    hr = open_key_for_clsid(rclsid, L"LocalServer32", KEY_READ, &key);
493
    if (FAILED(hr) && (arch == 64 || (IsWow64Process(GetCurrentProcess(), &is_wow64) && is_wow64)))
494
    {
495
        hr = open_key_for_clsid(rclsid, L"LocalServer32", opposite | KEY_READ, &key);
496
        is_opposite = TRUE;
497
    }
498
    if (FAILED(hr))
499
    {
500
        ERR("class %s not registered\n", debugstr_guid(rclsid));
501
        return hr;
502
    }
503

504
    ret = RegQueryValueExW(key, NULL, NULL, NULL, (LPBYTE)command, &size);
505
    RegCloseKey(key);
506
    if (ret)
507
    {
508
        WARN("No default value for LocalServer32 key\n");
509
        return REGDB_E_CLASSNOTREG; /* FIXME: check retval */
510
    }
511

512
    memset(&sinfo, 0, sizeof(sinfo));
513
    sinfo.cb = sizeof(sinfo);
514

515
    /* EXE servers are started with the -Embedding switch. */
516

517
    lstrcatW(command, embeddingW);
518

519
    TRACE("activating local server %s for %s\n", debugstr_w(command), debugstr_guid(rclsid));
520

521
    /* FIXME: Win2003 supports a ServerExecutable value that is passed into
522
     * CreateProcess */
523
    if (is_opposite)
524
    {
525
        void *cookie;
526
        Wow64DisableWow64FsRedirection(&cookie);
527
        if (!CreateProcessW(NULL, command, NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo))
528
        {
529
            WARN("failed to run local server %s\n", debugstr_w(command));
530
            hr = HRESULT_FROM_WIN32(GetLastError());
531
        }
532
        Wow64RevertWow64FsRedirection(cookie);
533
        if (FAILED(hr)) return hr;
534
    }
535
    else if (!CreateProcessW(NULL, command, NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo))
536
    {
537
        WARN("failed to run local server %s\n", debugstr_w(command));
538
        return HRESULT_FROM_WIN32(GetLastError());
539
    }
540
    *process = pinfo.hProcess;
541
    CloseHandle(pinfo.hThread);
542

543
    return S_OK;
544
}
545

546
static HRESULT create_surrogate_server(REFCLSID rclsid, HANDLE *process)
547
{
548
    static const WCHAR processidW[] = L" /PROCESSID:";
549
    HKEY key;
550
    int arch = (sizeof(void *) > sizeof(int)) ? 64 : 32;
551
    REGSAM opposite = (arch == 64) ? KEY_WOW64_32KEY : KEY_WOW64_64KEY;
552
    BOOL is_wow64 = FALSE, is_opposite = FALSE;
553
    HRESULT hr;
554
    WCHAR command[MAX_PATH + ARRAY_SIZE(processidW) + CHARS_IN_GUID];
555
    DWORD size;
556
    STARTUPINFOW si;
557
    PROCESS_INFORMATION pi;
558
    LONG ret;
559

560
    TRACE("Attempting to start surrogate server for %s\n", debugstr_guid(rclsid));
561

562
    hr = open_key_for_clsid(rclsid, NULL, KEY_READ, &key);
563
    if (FAILED(hr) && (arch == 64 || (IsWow64Process(GetCurrentProcess(), &is_wow64) && is_wow64)))
564
        hr = open_key_for_clsid(rclsid, NULL, opposite | KEY_READ, &key);
565
    if (FAILED(hr)) return hr;
566
    RegCloseKey(key);
567

568
    hr = open_appidkey_from_clsid(rclsid, KEY_READ, &key);
569
    if (FAILED(hr) && (arch == 64 || (IsWow64Process(GetCurrentProcess(), &is_wow64) && is_wow64)))
570
    {
571
        hr = open_appidkey_from_clsid(rclsid, opposite | KEY_READ, &key);
572
        if (FAILED(hr)) return hr;
573
        is_opposite = TRUE;
574
    }
575

576
    size = (MAX_PATH + 1) * sizeof(WCHAR);
577
    ret = RegQueryValueExW(key, L"DllSurrogate", NULL, NULL, (LPBYTE)command, &size);
578
    RegCloseKey(key);
579
    if (ret || !size || !command[0])
580
    {
581
        TRACE("No value for DllSurrogate key\n");
582

583
        if ((sizeof(void *) == 8 || is_wow64) && opposite == KEY_WOW64_32KEY)
584
            GetSystemWow64DirectoryW(command, MAX_PATH - ARRAY_SIZE(L"\\dllhost.exe"));
585
        else
586
            GetSystemDirectoryW(command, MAX_PATH - ARRAY_SIZE(L"\\dllhost.exe"));
587

588
        wcscat(command, L"\\dllhost.exe");
589
    }
590

591
    /* Surrogate EXE servers are started with the /PROCESSID:{GUID} switch. */
592
    wcscat(command, processidW);
593
    StringFromGUID2(rclsid, command + wcslen(command), CHARS_IN_GUID);
594

595
    memset(&si, 0, sizeof(si));
596
    si.cb = sizeof(si);
597

598
    TRACE("Activating surrogate local server %s\n", debugstr_w(command));
599

600
    if (is_opposite)
601
    {
602
        void *cookie;
603
        Wow64DisableWow64FsRedirection(&cookie);
604
        if (!CreateProcessW(NULL, command, NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &si, &pi))
605
        {
606
            WARN("failed to run surrogate local server %s\n", debugstr_w(command));
607
            hr = HRESULT_FROM_WIN32(GetLastError());
608
        }
609
        Wow64RevertWow64FsRedirection(cookie);
610
    }
611
    else if (!CreateProcessW(NULL, command, NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &si, &pi))
612
    {
613
        WARN("failed to run surrogate local server %s\n", debugstr_w(command));
614
        hr = HRESULT_FROM_WIN32(GetLastError());
615
    }
616

617
    if (FAILED(hr)) return hr;
618

619
    *process = pi.hProcess;
620
    CloseHandle(pi.hThread);
621

622
    return S_OK;
623
}
624

625
HRESULT rpc_get_local_class_object(REFCLSID rclsid, REFIID riid, void **obj)
626
{
627
    PMInterfacePointer objref = NULL;
628
    IServiceProvider *local_server;
629
    IStream *stream = NULL;
630
    ULARGE_INTEGER newpos;
631
    LARGE_INTEGER seekto;
632
    int tries = 0;
633
    ULONG length;
634
    HRESULT hr;
635
    static const int MAXTRIES = 30; /* 30 seconds */
636

637
    TRACE("clsid %s, riid %s\n", debugstr_guid(rclsid), debugstr_guid(riid));
638

639
    while (tries++ < MAXTRIES)
640
    {
641
        DWORD index, start_ticks;
642
        HANDLE process = 0;
643

644
        if (SUCCEEDED(hr = rpcss_get_class_object(rclsid, &objref)))
645
            break;
646

647
        if (tries == 1)
648
        {
649
            if ((hr = create_local_service(rclsid)) && (hr = create_server(rclsid, &process)) &&
650
                (hr = create_surrogate_server(rclsid, &process)) )
651
                return hr;
652
        }
653

654
        /* Wait for one second, even if messages arrive. */
655
        start_ticks = GetTickCount();
656
        do
657
        {
658
            if (SUCCEEDED(CoWaitForMultipleHandles(0, 1000, (process != 0), &process, &index)) && process && !index)
659
            {
660
                WARN("Server for %s failed to start.\n", debugstr_guid(rclsid));
661
                CloseHandle(process);
662
                return E_NOINTERFACE;
663
            }
664
        } while (GetTickCount() - start_ticks < 1000);
665

666
        if (process) CloseHandle(process);
667
    }
668

669
    if (!objref || tries >= MAXTRIES)
670
        return E_NOINTERFACE;
671

672
    if (SUCCEEDED(hr = CreateStreamOnHGlobal(0, TRUE, &stream)))
673
        hr = IStream_Write(stream, objref->abData, objref->ulCntData, &length);
674

675
    MIDL_user_free(objref);
676

677
    if (SUCCEEDED(hr))
678
    {
679
        seekto.QuadPart = 0;
680
        IStream_Seek(stream, seekto, STREAM_SEEK_SET, &newpos);
681

682
        TRACE("Unmarshalling local server.\n");
683
        hr = CoUnmarshalInterface(stream, &IID_IServiceProvider, (void **)&local_server);
684
        if (SUCCEEDED(hr))
685
        {
686
            hr = IServiceProvider_QueryService(local_server, rclsid, riid, obj);
687
            IServiceProvider_Release(local_server);
688
        }
689
    }
690

691
    if (stream)
692
        IStream_Release(stream);
693

694
    return hr;
695
}
696

697
HRESULT rpc_register_local_server(REFCLSID clsid, IStream *stream, DWORD flags, unsigned int *cookie)
698
{
699
    MInterfacePointer *obj;
700
    const void *ptr;
701
    HGLOBAL hmem;
702
    SIZE_T size;
703
    HRESULT hr;
704

705
    TRACE("%s, %#lx\n", debugstr_guid(clsid), flags);
706

707
    hr = GetHGlobalFromStream(stream, &hmem);
708
    if (FAILED(hr)) return hr;
709

710
    size = GlobalSize(hmem);
711
    if (!(obj = malloc(FIELD_OFFSET(MInterfacePointer, abData[size]))))
712
        return E_OUTOFMEMORY;
713
    obj->ulCntData = size;
714
    ptr = GlobalLock(hmem);
715
    memcpy(obj->abData, ptr, size);
716
    GlobalUnlock(hmem);
717

718
    hr = rpcss_server_register(clsid, flags, obj, cookie);
719

720
    free(obj);
721

722
    return hr;
723
}
724

725
static HRESULT unmarshal_ORPCTHAT(RPC_MESSAGE *msg, ORPCTHAT *orpcthat, ORPC_EXTENT_ARRAY *orpc_ext_array,
726
        WIRE_ORPC_EXTENT **first_wire_orpc_extent);
727

728
/* Channel Hook Functions */
729

730
static ULONG ChannelHooks_ClientGetSize(SChannelHookCallInfo *info, struct channel_hook_buffer_data **data,
731
        unsigned int *hook_count, ULONG *extension_count)
732
{
733
    struct channel_hook_entry *entry;
734
    ULONG total_size = 0;
735
    unsigned int hook_index = 0;
736

737
    *hook_count = 0;
738
    *extension_count = 0;
739

740
    EnterCriticalSection(&csChannelHook);
741

742
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
743
        (*hook_count)++;
744

745
    if (*hook_count)
746
        *data = malloc(*hook_count * sizeof(struct channel_hook_buffer_data));
747
    else
748
        *data = NULL;
749

750
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
751
    {
752
        ULONG extension_size = 0;
753

754
        IChannelHook_ClientGetSize(entry->hook, &entry->id, &info->iid, &extension_size);
755

756
        TRACE("%s: extension_size = %lu\n", debugstr_guid(&entry->id), extension_size);
757

758
        extension_size = (extension_size+7)&~7;
759
        (*data)[hook_index].id = entry->id;
760
        (*data)[hook_index].extension_size = extension_size;
761

762
        /* an extension is only put onto the wire if it has data to write */
763
        if (extension_size)
764
        {
765
            total_size += FIELD_OFFSET(WIRE_ORPC_EXTENT, data[extension_size]);
766
            (*extension_count)++;
767
        }
768

769
        hook_index++;
770
    }
771

772
    LeaveCriticalSection(&csChannelHook);
773

774
    return total_size;
775
}
776

777
static unsigned char * ChannelHooks_ClientFillBuffer(SChannelHookCallInfo *info,
778
    unsigned char *buffer, struct channel_hook_buffer_data *data,
779
    unsigned int hook_count)
780
{
781
    struct channel_hook_entry *entry;
782

783
    EnterCriticalSection(&csChannelHook);
784

785
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
786
    {
787
        unsigned int i;
788
        ULONG extension_size = 0;
789
        WIRE_ORPC_EXTENT *wire_orpc_extent = (WIRE_ORPC_EXTENT *)buffer;
790

791
        for (i = 0; i < hook_count; i++)
792
            if (IsEqualGUID(&entry->id, &data[i].id))
793
                extension_size = data[i].extension_size;
794

795
        /* an extension is only put onto the wire if it has data to write */
796
        if (!extension_size)
797
            continue;
798

799
        IChannelHook_ClientFillBuffer(entry->hook, &entry->id, &info->iid,
800
            &extension_size, buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT, data[0]));
801

802
        TRACE("%s: extension_size = %lu\n", debugstr_guid(&entry->id), extension_size);
803

804
        /* FIXME: set unused portion of wire_orpc_extent->data to 0? */
805

806
        wire_orpc_extent->conformance = (extension_size+7)&~7;
807
        wire_orpc_extent->size = extension_size;
808
        wire_orpc_extent->id = entry->id;
809
        buffer += FIELD_OFFSET(WIRE_ORPC_EXTENT, data[wire_orpc_extent->conformance]);
810
    }
811

812
    LeaveCriticalSection(&csChannelHook);
813

814
    return buffer;
815
}
816

817
static void ChannelHooks_ServerNotify(SChannelHookCallInfo *info,
818
    DWORD lDataRep, WIRE_ORPC_EXTENT *first_wire_orpc_extent,
819
    ULONG extension_count)
820
{
821
    struct channel_hook_entry *entry;
822
    ULONG i;
823

824
    EnterCriticalSection(&csChannelHook);
825

826
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
827
    {
828
        WIRE_ORPC_EXTENT *wire_orpc_extent;
829
        for (i = 0, wire_orpc_extent = first_wire_orpc_extent;
830
             i < extension_count;
831
             i++, wire_orpc_extent = (WIRE_ORPC_EXTENT *)&wire_orpc_extent->data[wire_orpc_extent->conformance])
832
        {
833
            if (IsEqualGUID(&entry->id, &wire_orpc_extent->id))
834
                break;
835
        }
836
        if (i == extension_count) wire_orpc_extent = NULL;
837

838
        IChannelHook_ServerNotify(entry->hook, &entry->id, &info->iid,
839
            wire_orpc_extent ? wire_orpc_extent->size : 0,
840
            wire_orpc_extent ? wire_orpc_extent->data : NULL,
841
            lDataRep);
842
    }
843

844
    LeaveCriticalSection(&csChannelHook);
845
}
846

847
static ULONG ChannelHooks_ServerGetSize(SChannelHookCallInfo *info,
848
                                        struct channel_hook_buffer_data **data, unsigned int *hook_count,
849
                                        ULONG *extension_count)
850
{
851
    struct channel_hook_entry *entry;
852
    ULONG total_size = 0;
853
    unsigned int hook_index = 0;
854

855
    *hook_count = 0;
856
    *extension_count = 0;
857

858
    EnterCriticalSection(&csChannelHook);
859

860
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
861
        (*hook_count)++;
862

863
    if (*hook_count)
864
        *data = malloc(*hook_count * sizeof(struct channel_hook_buffer_data));
865
    else
866
        *data = NULL;
867

868
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
869
    {
870
        ULONG extension_size = 0;
871

872
        IChannelHook_ServerGetSize(entry->hook, &entry->id, &info->iid, S_OK,
873
                                   &extension_size);
874

875
        TRACE("%s: extension_size = %lu\n", debugstr_guid(&entry->id), extension_size);
876

877
        extension_size = (extension_size+7)&~7;
878
        (*data)[hook_index].id = entry->id;
879
        (*data)[hook_index].extension_size = extension_size;
880

881
        /* an extension is only put onto the wire if it has data to write */
882
        if (extension_size)
883
        {
884
            total_size += FIELD_OFFSET(WIRE_ORPC_EXTENT, data[extension_size]);
885
            (*extension_count)++;
886
        }
887

888
        hook_index++;
889
    }
890

891
    LeaveCriticalSection(&csChannelHook);
892

893
    return total_size;
894
}
895

896
static unsigned char * ChannelHooks_ServerFillBuffer(SChannelHookCallInfo *info,
897
                                                     unsigned char *buffer, struct channel_hook_buffer_data *data,
898
                                                     unsigned int hook_count)
899
{
900
    struct channel_hook_entry *entry;
901

902
    EnterCriticalSection(&csChannelHook);
903

904
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
905
    {
906
        unsigned int i;
907
        ULONG extension_size = 0;
908
        WIRE_ORPC_EXTENT *wire_orpc_extent = (WIRE_ORPC_EXTENT *)buffer;
909

910
        for (i = 0; i < hook_count; i++)
911
            if (IsEqualGUID(&entry->id, &data[i].id))
912
                extension_size = data[i].extension_size;
913

914
        /* an extension is only put onto the wire if it has data to write */
915
        if (!extension_size)
916
            continue;
917

918
        IChannelHook_ServerFillBuffer(entry->hook, &entry->id, &info->iid,
919
                                      &extension_size, buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT, data[0]),
920
                                      S_OK);
921

922
        TRACE("%s: extension_size = %lu\n", debugstr_guid(&entry->id), extension_size);
923

924
        /* FIXME: set unused portion of wire_orpc_extent->data to 0? */
925

926
        wire_orpc_extent->conformance = (extension_size+7)&~7;
927
        wire_orpc_extent->size = extension_size;
928
        wire_orpc_extent->id = entry->id;
929
        buffer += FIELD_OFFSET(WIRE_ORPC_EXTENT, data[wire_orpc_extent->conformance]);
930
    }
931

932
    LeaveCriticalSection(&csChannelHook);
933

934
    return buffer;
935
}
936

937
static void ChannelHooks_ClientNotify(SChannelHookCallInfo *info,
938
                                      DWORD lDataRep, WIRE_ORPC_EXTENT *first_wire_orpc_extent,
939
                                      ULONG extension_count, HRESULT hrFault)
940
{
941
    struct channel_hook_entry *entry;
942
    ULONG i;
943

944
    EnterCriticalSection(&csChannelHook);
945

946
    LIST_FOR_EACH_ENTRY(entry, &channel_hooks, struct channel_hook_entry, entry)
947
    {
948
        WIRE_ORPC_EXTENT *wire_orpc_extent;
949
        for (i = 0, wire_orpc_extent = first_wire_orpc_extent;
950
             i < extension_count;
951
             i++, wire_orpc_extent = (WIRE_ORPC_EXTENT *)&wire_orpc_extent->data[wire_orpc_extent->conformance])
952
        {
953
            if (IsEqualGUID(&entry->id, &wire_orpc_extent->id))
954
                break;
955
        }
956
        if (i == extension_count) wire_orpc_extent = NULL;
957

958
        IChannelHook_ClientNotify(entry->hook, &entry->id, &info->iid,
959
                                  wire_orpc_extent ? wire_orpc_extent->size : 0,
960
                                  wire_orpc_extent ? wire_orpc_extent->data : NULL,
961
                                  lDataRep, hrFault);
962
    }
963

964
    LeaveCriticalSection(&csChannelHook);
965
}
966

967
HRESULT rpc_register_channel_hook(REFGUID rguid, IChannelHook *hook)
968
{
969
    struct channel_hook_entry *entry;
970

971
    entry = malloc(sizeof(*entry));
972
    if (!entry)
973
        return E_OUTOFMEMORY;
974

975
    entry->id = *rguid;
976
    entry->hook = hook;
977
    IChannelHook_AddRef(hook);
978

979
    EnterCriticalSection(&csChannelHook);
980
    list_add_tail(&channel_hooks, &entry->entry);
981
    LeaveCriticalSection(&csChannelHook);
982

983
    return S_OK;
984
}
985

986
void rpc_unregister_channel_hooks(void)
987
{
988
    struct channel_hook_entry *cursor;
989
    struct channel_hook_entry *cursor2;
990

991
    EnterCriticalSection(&csChannelHook);
992
    LIST_FOR_EACH_ENTRY_SAFE(cursor, cursor2, &channel_hooks, struct channel_hook_entry, entry)
993
        free(cursor);
994
    LeaveCriticalSection(&csChannelHook);
995
    DeleteCriticalSection(&csChannelHook);
996
    DeleteCriticalSection(&csRegIf);
997
}
998

999
/* RPC Channel Buffer Functions */
1000

1001
static HRESULT WINAPI RpcChannelBuffer_QueryInterface(IRpcChannelBuffer *iface, REFIID riid, LPVOID *ppv)
1002
{
1003
    *ppv = NULL;
1004
    if (IsEqualIID(riid,&IID_IRpcChannelBuffer) || IsEqualIID(riid,&IID_IUnknown))
1005
    {
1006
        *ppv = iface;
1007
        IRpcChannelBuffer_AddRef(iface);
1008
        return S_OK;
1009
    }
1010
    return E_NOINTERFACE;
1011
}
1012

1013
static ULONG WINAPI RpcChannelBuffer_AddRef(LPRPCCHANNELBUFFER iface)
1014
{
1015
    RpcChannelBuffer *This = (RpcChannelBuffer *)iface;
1016
    return InterlockedIncrement(&This->refs);
1017
}
1018

1019
static ULONG WINAPI ServerRpcChannelBuffer_Release(LPRPCCHANNELBUFFER iface)
1020
{
1021
    RpcChannelBuffer *This = (RpcChannelBuffer *)iface;
1022
    ULONG ref;
1023

1024
    ref = InterlockedDecrement(&This->refs);
1025
    if (ref)
1026
        return ref;
1027

1028
    free(This);
1029
    return 0;
1030
}
1031

1032
static ULONG WINAPI ClientRpcChannelBuffer_Release(LPRPCCHANNELBUFFER iface)
1033
{
1034
    ClientRpcChannelBuffer *This = (ClientRpcChannelBuffer *)iface;
1035
    ULONG ref;
1036

1037
    ref = InterlockedDecrement(&This->super.refs);
1038
    if (ref)
1039
        return ref;
1040

1041
    if (This->event) CloseHandle(This->event);
1042
    RpcBindingFree(&This->bind);
1043
    free(This);
1044
    return 0;
1045
}
1046

1047
static HRESULT WINAPI ServerRpcChannelBuffer_GetBuffer(LPRPCCHANNELBUFFER iface, RPCOLEMESSAGE* olemsg, REFIID riid)
1048
{
1049
    RpcChannelBuffer *This = (RpcChannelBuffer *)iface;
1050
    RPC_MESSAGE *msg = (RPC_MESSAGE *)olemsg;
1051
    RPC_STATUS status;
1052
    ORPCTHAT *orpcthat;
1053
    struct message_state *message_state;
1054
    ULONG extensions_size;
1055
    struct channel_hook_buffer_data *channel_hook_data;
1056
    unsigned int channel_hook_count;
1057
    ULONG extension_count;
1058

1059
    TRACE("(%p)->(%p,%s)\n", This, olemsg, debugstr_guid(riid));
1060

1061
    message_state = msg->Handle;
1062
    /* restore the binding handle and the real start of data */
1063
    msg->Handle = message_state->binding_handle;
1064
    msg->Buffer = (char *)msg->Buffer - message_state->prefix_data_len;
1065

1066
    extensions_size = ChannelHooks_ServerGetSize(&message_state->channel_hook_info,
1067
                                                 &channel_hook_data, &channel_hook_count, &extension_count);
1068

1069
    msg->BufferLength += FIELD_OFFSET(WIRE_ORPCTHAT, extensions) + sizeof(DWORD);
1070
    if (extensions_size)
1071
    {
1072
        msg->BufferLength += FIELD_OFFSET(WIRE_ORPC_EXTENT_ARRAY, extent[2*sizeof(DWORD) + extensions_size]);
1073
        if (extension_count & 1)
1074
            msg->BufferLength += FIELD_OFFSET(WIRE_ORPC_EXTENT, data[0]);
1075
    }
1076

1077
    if (message_state->bypass_rpcrt)
1078
    {
1079
        msg->Buffer = malloc(msg->BufferLength);
1080
        if (msg->Buffer)
1081
            status = RPC_S_OK;
1082
        else
1083
        {
1084
            free(channel_hook_data);
1085
            return E_OUTOFMEMORY;
1086
        }
1087
    }
1088
    else
1089
        status = I_RpcGetBuffer(msg);
1090

1091
    orpcthat = msg->Buffer;
1092
    msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPCTHAT, extensions);
1093

1094
    orpcthat->flags = ORPCF_NULL /* FIXME? */;
1095

1096
    /* NDR representation of orpcthat->extensions */
1097
    *(DWORD *)msg->Buffer = extensions_size ? 1 : 0;
1098
    msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1099

1100
    if (extensions_size)
1101
    {
1102
        WIRE_ORPC_EXTENT_ARRAY *orpc_extent_array = msg->Buffer;
1103
        orpc_extent_array->size = extension_count;
1104
        orpc_extent_array->reserved = 0;
1105
        msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT_ARRAY, extent);
1106
        /* NDR representation of orpc_extent_array->extent */
1107
        *(DWORD *)msg->Buffer = 1;
1108
        msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1109
        /* NDR representation of [size_is] attribute of orpc_extent_array->extent */
1110
        *(DWORD *)msg->Buffer = (extension_count + 1) & ~1;
1111
        msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1112

1113
        msg->Buffer = ChannelHooks_ServerFillBuffer(&message_state->channel_hook_info,
1114
                                                    msg->Buffer, channel_hook_data, channel_hook_count);
1115

1116
        /* we must add a dummy extension if there is an odd extension
1117
         * count to meet the contract specified by the size_is attribute */
1118
        if (extension_count & 1)
1119
        {
1120
            WIRE_ORPC_EXTENT *wire_orpc_extent = msg->Buffer;
1121
            wire_orpc_extent->conformance = 0;
1122
            wire_orpc_extent->id = GUID_NULL;
1123
            wire_orpc_extent->size = 0;
1124
            msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT, data[0]);
1125
        }
1126
    }
1127

1128
    free(channel_hook_data);
1129

1130
    /* store the prefixed data length so that we can restore the real buffer
1131
     * later */
1132
    message_state->prefix_data_len = (char *)msg->Buffer - (char *)orpcthat;
1133
    msg->BufferLength -= message_state->prefix_data_len;
1134
    /* save away the message state again */
1135
    msg->Handle = message_state;
1136

1137
    TRACE("-- %ld\n", status);
1138

1139
    return HRESULT_FROM_WIN32(status);
1140
}
1141

1142
static HANDLE ClientRpcChannelBuffer_GetEventHandle(ClientRpcChannelBuffer *This)
1143
{
1144
    HANDLE event = InterlockedExchangePointer(&This->event, NULL);
1145

1146
    /* Note: must be auto-reset event so we can reuse it without a call
1147
    * to ResetEvent */
1148
    if (!event) event = CreateEventW(NULL, FALSE, FALSE, NULL);
1149

1150
    return event;
1151
}
1152

1153
static void ClientRpcChannelBuffer_ReleaseEventHandle(ClientRpcChannelBuffer *This, HANDLE event)
1154
{
1155
    if (InterlockedCompareExchangePointer(&This->event, event, NULL))
1156
        /* already a handle cached in This */
1157
        CloseHandle(event);
1158
}
1159

1160
static HRESULT WINAPI ClientRpcChannelBuffer_GetBuffer(LPRPCCHANNELBUFFER iface, RPCOLEMESSAGE* olemsg, REFIID riid)
1161
{
1162
    ClientRpcChannelBuffer *This = (ClientRpcChannelBuffer *)iface;
1163
    RPC_MESSAGE *msg = (RPC_MESSAGE *)olemsg;
1164
    RPC_CLIENT_INTERFACE *cif;
1165
    RPC_STATUS status;
1166
    ORPCTHIS *orpcthis;
1167
    struct message_state *message_state;
1168
    ULONG extensions_size;
1169
    struct channel_hook_buffer_data *channel_hook_data;
1170
    unsigned int channel_hook_count;
1171
    ULONG extension_count;
1172
    IPID ipid;
1173
    HRESULT hr;
1174
    struct apartment *apt = NULL;
1175

1176
    TRACE("(%p)->(%p,%s)\n", This, olemsg, debugstr_guid(riid));
1177

1178
    cif = calloc(1, sizeof(RPC_CLIENT_INTERFACE));
1179
    if (!cif)
1180
        return E_OUTOFMEMORY;
1181

1182
    message_state = malloc(sizeof(*message_state));
1183
    if (!message_state)
1184
    {
1185
        free(cif);
1186
        return E_OUTOFMEMORY;
1187
    }
1188

1189
    cif->Length = sizeof(RPC_CLIENT_INTERFACE);
1190
    /* RPC interface ID = COM interface ID */
1191
    cif->InterfaceId.SyntaxGUID = This->iid;
1192
    /* COM objects always have a version of 0.0 */
1193
    cif->InterfaceId.SyntaxVersion.MajorVersion = 0;
1194
    cif->InterfaceId.SyntaxVersion.MinorVersion = 0;
1195
    msg->Handle = This->bind;
1196
    msg->RpcInterfaceInformation = cif;
1197

1198
    message_state->prefix_data_len = 0;
1199
    message_state->binding_handle = This->bind;
1200

1201
    message_state->channel_hook_info.iid = *riid;
1202
    message_state->channel_hook_info.cbSize = sizeof(message_state->channel_hook_info);
1203
    CoGetCurrentLogicalThreadId(&message_state->channel_hook_info.uCausality);
1204
    message_state->channel_hook_info.dwServerPid = This->server_pid;
1205
    message_state->channel_hook_info.iMethod = msg->ProcNum & ~RPC_FLAGS_VALID_BIT;
1206
    message_state->channel_hook_info.pObject = NULL; /* only present on server-side */
1207
    message_state->target_hwnd = NULL;
1208
    message_state->target_tid = 0;
1209
    memset(&message_state->params, 0, sizeof(message_state->params));
1210

1211
    extensions_size = ChannelHooks_ClientGetSize(&message_state->channel_hook_info,
1212
        &channel_hook_data, &channel_hook_count, &extension_count);
1213

1214
    msg->BufferLength += FIELD_OFFSET(WIRE_ORPCTHIS, extensions) + sizeof(DWORD);
1215
    if (extensions_size)
1216
    {
1217
        msg->BufferLength += FIELD_OFFSET(WIRE_ORPC_EXTENT_ARRAY, extent[2*sizeof(DWORD) + extensions_size]);
1218
        if (extension_count & 1)
1219
            msg->BufferLength += FIELD_OFFSET(WIRE_ORPC_EXTENT, data[0]);
1220
    }
1221

1222
    RpcBindingInqObject(message_state->binding_handle, &ipid);
1223
    hr = ipid_get_dispatch_params(&ipid, &apt, NULL, &message_state->params.stub,
1224
                                  &message_state->params.chan,
1225
                                  &message_state->params.iid,
1226
                                  &message_state->params.iface);
1227
    if (hr == S_OK)
1228
    {
1229
        /* stub, chan, iface and iid are unneeded in multi-threaded case as we go
1230
         * via the RPC runtime */
1231
        if (apt->multi_threaded)
1232
        {
1233
            IRpcStubBuffer_Release(message_state->params.stub);
1234
            message_state->params.stub = NULL;
1235
            IRpcChannelBuffer_Release(message_state->params.chan);
1236
            message_state->params.chan = NULL;
1237
            message_state->params.iface = NULL;
1238
        }
1239
        else
1240
        {
1241
            message_state->params.bypass_rpcrt = TRUE;
1242
            message_state->target_hwnd = apartment_getwindow(apt);
1243
            message_state->target_tid = apt->tid;
1244
            /* we assume later on that this being non-NULL is the indicator that
1245
             * means call directly instead of going through RPC runtime */
1246
            if (!message_state->target_hwnd)
1247
                ERR("window for apartment %s is NULL\n", wine_dbgstr_longlong(apt->oxid));
1248
        }
1249
    }
1250
    if (apt) apartment_release(apt);
1251
    message_state->params.handle = ClientRpcChannelBuffer_GetEventHandle(This);
1252
    /* Note: message_state->params.msg is initialised in
1253
     * ClientRpcChannelBuffer_SendReceive */
1254

1255
    /* shortcut the RPC runtime */
1256
    if (message_state->target_hwnd)
1257
    {
1258
        msg->Buffer = malloc(msg->BufferLength);
1259
        if (msg->Buffer)
1260
            status = RPC_S_OK;
1261
        else
1262
            status = ERROR_OUTOFMEMORY;
1263
    }
1264
    else
1265
        status = I_RpcGetBuffer(msg);
1266

1267
    msg->Handle = message_state;
1268

1269
    if (status == RPC_S_OK)
1270
    {
1271
        orpcthis = msg->Buffer;
1272
        msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPCTHIS, extensions);
1273

1274
        orpcthis->version.MajorVersion = COM_MAJOR_VERSION;
1275
        orpcthis->version.MinorVersion = COM_MINOR_VERSION;
1276
        orpcthis->flags = message_state->channel_hook_info.dwServerPid ? ORPCF_LOCAL : ORPCF_NULL;
1277
        orpcthis->reserved1 = 0;
1278
        orpcthis->cid = message_state->channel_hook_info.uCausality;
1279

1280
        /* NDR representation of orpcthis->extensions */
1281
        *(DWORD *)msg->Buffer = extensions_size ? 1 : 0;
1282
        msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1283

1284
        if (extensions_size)
1285
        {
1286
            ORPC_EXTENT_ARRAY *orpc_extent_array = msg->Buffer;
1287
            orpc_extent_array->size = extension_count;
1288
            orpc_extent_array->reserved = 0;
1289
            msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT_ARRAY, extent);
1290
            /* NDR representation of orpc_extent_array->extent */
1291
            *(DWORD *)msg->Buffer = 1;
1292
            msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1293
            /* NDR representation of [size_is] attribute of orpc_extent_array->extent */
1294
            *(DWORD *)msg->Buffer = (extension_count + 1) & ~1;
1295
            msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1296

1297
            msg->Buffer = ChannelHooks_ClientFillBuffer(&message_state->channel_hook_info,
1298
                msg->Buffer, channel_hook_data, channel_hook_count);
1299

1300
            /* we must add a dummy extension if there is an odd extension
1301
             * count to meet the contract specified by the size_is attribute */
1302
            if (extension_count & 1)
1303
            {
1304
                WIRE_ORPC_EXTENT *wire_orpc_extent = msg->Buffer;
1305
                wire_orpc_extent->conformance = 0;
1306
                wire_orpc_extent->id = GUID_NULL;
1307
                wire_orpc_extent->size = 0;
1308
                msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT, data[0]);
1309
            }
1310
        }
1311

1312
        /* store the prefixed data length so that we can restore the real buffer
1313
         * pointer in ClientRpcChannelBuffer_SendReceive. */
1314
        message_state->prefix_data_len = (char *)msg->Buffer - (char *)orpcthis;
1315
        msg->BufferLength -= message_state->prefix_data_len;
1316
    }
1317

1318
    free(channel_hook_data);
1319

1320
    TRACE("-- %ld\n", status);
1321

1322
    return HRESULT_FROM_WIN32(status);
1323
}
1324

1325
static HRESULT WINAPI ServerRpcChannelBuffer_SendReceive(LPRPCCHANNELBUFFER iface, RPCOLEMESSAGE *olemsg, ULONG *pstatus)
1326
{
1327
    FIXME("stub\n");
1328
    return E_NOTIMPL;
1329
}
1330

1331
/* this thread runs an outgoing RPC */
1332
static DWORD WINAPI rpc_sendreceive_thread(LPVOID param)
1333
{
1334
    struct dispatch_params *data = param;
1335

1336
    /* Note: I_RpcSendReceive doesn't raise exceptions like the higher-level
1337
     * RPC functions do */
1338
    data->status = I_RpcSendReceive((RPC_MESSAGE *)data->msg);
1339

1340
    TRACE("completed with status %#lx\n", data->status);
1341

1342
    SetEvent(data->handle);
1343

1344
    return 0;
1345
}
1346

1347
static inline HRESULT ClientRpcChannelBuffer_IsCorrectApartment(ClientRpcChannelBuffer *This, const struct apartment *apt)
1348
{
1349
    if (!apt)
1350
        return S_FALSE;
1351
    if (This->oxid != apartment_getoxid(apt))
1352
        return S_FALSE;
1353
    return S_OK;
1354
}
1355

1356
static HRESULT WINAPI ClientRpcChannelBuffer_SendReceive(LPRPCCHANNELBUFFER iface, RPCOLEMESSAGE *olemsg, ULONG *pstatus)
1357
{
1358
    ClientRpcChannelBuffer *This = (ClientRpcChannelBuffer *)iface;
1359
    HRESULT hr;
1360
    RPC_MESSAGE *msg = (RPC_MESSAGE *)olemsg;
1361
    RPC_STATUS status;
1362
    DWORD index;
1363
    struct message_state *message_state;
1364
    ORPCTHAT orpcthat;
1365
    ORPC_EXTENT_ARRAY orpc_ext_array;
1366
    WIRE_ORPC_EXTENT *first_wire_orpc_extent = NULL;
1367
    HRESULT hrFault = S_OK;
1368
    struct apartment *apt = apartment_get_current_or_mta();
1369
    struct tlsdata *tlsdata;
1370

1371
    TRACE("%p, iMethod %ld\n", olemsg, olemsg->iMethod);
1372

1373
    hr = ClientRpcChannelBuffer_IsCorrectApartment(This, apt);
1374
    if (hr != S_OK)
1375
    {
1376
        ERR("called from wrong apartment, should have been 0x%s\n",
1377
            wine_dbgstr_longlong(This->oxid));
1378
        if (apt) apartment_release(apt);
1379
        return RPC_E_WRONG_THREAD;
1380
    }
1381

1382
    if (FAILED(hr = com_get_tlsdata(&tlsdata)))
1383
        return hr;
1384

1385
    /* This situation should be impossible in multi-threaded apartments,
1386
     * because the calling thread isn't re-enterable.
1387
     * Note: doing a COM call during the processing of a sent message is
1388
     * only disallowed if a client call is already being waited for
1389
     * completion */
1390
    if (!apt->multi_threaded &&
1391
        tlsdata->pending_call_count_client &&
1392
        InSendMessage())
1393
    {
1394
        ERR("can't make an outgoing COM call in response to a sent message\n");
1395
        apartment_release(apt);
1396
        return RPC_E_CANTCALLOUT_ININPUTSYNCCALL;
1397
    }
1398

1399
    message_state = msg->Handle;
1400
    /* restore the binding handle and the real start of data */
1401
    msg->Handle = message_state->binding_handle;
1402
    msg->Buffer = (char *)msg->Buffer - message_state->prefix_data_len;
1403
    msg->BufferLength += message_state->prefix_data_len;
1404

1405
    /* Note: this is an optimization in the Microsoft OLE runtime that we need
1406
     * to copy, as shown by the test_no_couninitialize_client test. without
1407
     * short-circuiting the RPC runtime in the case below, the test will
1408
     * deadlock on the loader lock due to the RPC runtime needing to create
1409
     * a thread to process the RPC when this function is called indirectly
1410
     * from DllMain */
1411

1412
    message_state->params.msg = olemsg;
1413
    if (message_state->params.bypass_rpcrt)
1414
    {
1415
        TRACE("Calling apartment thread %#lx...\n", message_state->target_tid);
1416

1417
        msg->ProcNum &= ~RPC_FLAGS_VALID_BIT;
1418

1419
        if (!PostMessageW(message_state->target_hwnd, DM_EXECUTERPC, 0,
1420
                          (LPARAM)&message_state->params))
1421
        {
1422
            ERR("PostMessage failed with error %lu\n", GetLastError());
1423

1424
            /* Note: message_state->params.iface doesn't have a reference and
1425
             * so doesn't need to be released */
1426

1427
            hr = HRESULT_FROM_WIN32(GetLastError());
1428
        }
1429
    }
1430
    else
1431
    {
1432
        /* we use a separate thread here because we need to be able to
1433
         * pump the message loop in the application thread: if we do not,
1434
         * any windows created by this thread will hang and RPCs that try
1435
         * and re-enter this STA from an incoming server thread will
1436
         * deadlock. InstallShield is an example of that.
1437
         */
1438
        if (!QueueUserWorkItem(rpc_sendreceive_thread, &message_state->params, WT_EXECUTEDEFAULT))
1439
        {
1440
            ERR("QueueUserWorkItem failed with error %lu\n", GetLastError());
1441
            hr = E_UNEXPECTED;
1442
        }
1443
        else
1444
            hr = S_OK;
1445
    }
1446

1447
    if (hr == S_OK)
1448
    {
1449
        if (WaitForSingleObject(message_state->params.handle, 0))
1450
        {
1451
            tlsdata->pending_call_count_client++;
1452
            hr = CoWaitForMultipleHandles(0, INFINITE, 1, &message_state->params.handle, &index);
1453
            tlsdata->pending_call_count_client--;
1454
        }
1455
    }
1456
    ClientRpcChannelBuffer_ReleaseEventHandle(This, message_state->params.handle);
1457

1458
    /* for WM shortcut, faults are returned in params->hr */
1459
    if (hr == S_OK)
1460
        hrFault = message_state->params.hr;
1461

1462
    status = message_state->params.status;
1463

1464
    orpcthat.flags = ORPCF_NULL;
1465
    orpcthat.extensions = NULL;
1466

1467
    TRACE("RPC call status: %#lx\n", status);
1468
    if (status != RPC_S_OK)
1469
        hr = HRESULT_FROM_WIN32(status);
1470

1471
    TRACE("hrFault = %#lx\n", hrFault);
1472

1473
    /* FIXME: this condition should be
1474
     * "hr == S_OK && (!hrFault || msg->BufferLength > FIELD_OFFSET(ORPCTHAT, extensions) + 4)"
1475
     * but we don't currently reset the message length for PostMessage
1476
     * dispatched calls */
1477
    if (hr == S_OK && hrFault == S_OK)
1478
    {
1479
        HRESULT hr2;
1480
        char *original_buffer = msg->Buffer;
1481

1482
        /* handle ORPCTHAT and client extensions */
1483

1484
        hr2 = unmarshal_ORPCTHAT(msg, &orpcthat, &orpc_ext_array, &first_wire_orpc_extent);
1485
        if (FAILED(hr2))
1486
            hr = hr2;
1487

1488
        message_state->prefix_data_len = (char *)msg->Buffer - original_buffer;
1489
        msg->BufferLength -= message_state->prefix_data_len;
1490
    }
1491
    else
1492
        message_state->prefix_data_len = 0;
1493

1494
    if (hr == S_OK)
1495
    {
1496
        ChannelHooks_ClientNotify(&message_state->channel_hook_info,
1497
                                  msg->DataRepresentation,
1498
                                  first_wire_orpc_extent,
1499
                                  orpcthat.extensions && first_wire_orpc_extent ? orpcthat.extensions->size : 0,
1500
                                  hrFault);
1501
    }
1502

1503
    /* save away the message state again */
1504
    msg->Handle = message_state;
1505

1506
    if (pstatus) *pstatus = status;
1507

1508
    if (hr == S_OK)
1509
        hr = hrFault;
1510

1511
    TRACE("-- %#lx\n", hr);
1512

1513
    apartment_release(apt);
1514
    return hr;
1515
}
1516

1517
static HRESULT WINAPI ServerRpcChannelBuffer_FreeBuffer(LPRPCCHANNELBUFFER iface, RPCOLEMESSAGE* olemsg)
1518
{
1519
    RPC_MESSAGE *msg = (RPC_MESSAGE *)olemsg;
1520
    RPC_STATUS status;
1521
    struct message_state *message_state;
1522

1523
    TRACE("(%p)\n", msg);
1524

1525
    message_state = msg->Handle;
1526
    /* restore the binding handle and the real start of data */
1527
    msg->Handle = message_state->binding_handle;
1528
    msg->Buffer = (char *)msg->Buffer - message_state->prefix_data_len;
1529
    msg->BufferLength += message_state->prefix_data_len;
1530
    message_state->prefix_data_len = 0;
1531

1532
    if (message_state->bypass_rpcrt)
1533
    {
1534
        free(msg->Buffer);
1535
        status = RPC_S_OK;
1536
    }
1537
    else
1538
        status = I_RpcFreeBuffer(msg);
1539

1540
    msg->Handle = message_state;
1541

1542
    TRACE("-- %ld\n", status);
1543

1544
    return HRESULT_FROM_WIN32(status);
1545
}
1546

1547
static HRESULT WINAPI ClientRpcChannelBuffer_FreeBuffer(LPRPCCHANNELBUFFER iface, RPCOLEMESSAGE* olemsg)
1548
{
1549
    RPC_MESSAGE *msg = (RPC_MESSAGE *)olemsg;
1550
    RPC_STATUS status;
1551
    struct message_state *message_state;
1552

1553
    TRACE("(%p)\n", msg);
1554

1555
    message_state = msg->Handle;
1556
    /* restore the binding handle and the real start of data */
1557
    msg->Handle = message_state->binding_handle;
1558
    msg->Buffer = (char *)msg->Buffer - message_state->prefix_data_len;
1559
    msg->BufferLength += message_state->prefix_data_len;
1560

1561
    if (message_state->params.bypass_rpcrt)
1562
    {
1563
        free(msg->Buffer);
1564
        status = RPC_S_OK;
1565
    }
1566
    else
1567
        status = I_RpcFreeBuffer(msg);
1568

1569
    free(msg->RpcInterfaceInformation);
1570
    msg->RpcInterfaceInformation = NULL;
1571

1572
    if (message_state->params.stub)
1573
        IRpcStubBuffer_Release(message_state->params.stub);
1574
    if (message_state->params.chan)
1575
        IRpcChannelBuffer_Release(message_state->params.chan);
1576
    free(message_state);
1577

1578
    TRACE("-- %ld\n", status);
1579

1580
    return HRESULT_FROM_WIN32(status);
1581
}
1582

1583
static HRESULT WINAPI ClientRpcChannelBuffer_GetDestCtx(LPRPCCHANNELBUFFER iface, DWORD* pdwDestContext, void** ppvDestContext)
1584
{
1585
    ClientRpcChannelBuffer *This = (ClientRpcChannelBuffer *)iface;
1586

1587
    TRACE("(%p,%p)\n", pdwDestContext, ppvDestContext);
1588

1589
    *pdwDestContext = This->super.dest_context;
1590
    *ppvDestContext = This->super.dest_context_data;
1591

1592
    return S_OK;
1593
}
1594

1595
static HRESULT WINAPI ServerRpcChannelBuffer_GetDestCtx(LPRPCCHANNELBUFFER iface, DWORD* dest_context, void** dest_context_data)
1596
{
1597
    RpcChannelBuffer *This = (RpcChannelBuffer *)iface;
1598

1599
    TRACE("(%p,%p)\n", dest_context, dest_context_data);
1600

1601
    *dest_context = This->dest_context;
1602
    *dest_context_data = This->dest_context_data;
1603
    return S_OK;
1604
}
1605

1606
static HRESULT WINAPI RpcChannelBuffer_IsConnected(LPRPCCHANNELBUFFER iface)
1607
{
1608
    TRACE("()\n");
1609
    /* native does nothing too */
1610
    return S_OK;
1611
}
1612

1613
static const IRpcChannelBufferVtbl ClientRpcChannelBufferVtbl =
1614
{
1615
    RpcChannelBuffer_QueryInterface,
1616
    RpcChannelBuffer_AddRef,
1617
    ClientRpcChannelBuffer_Release,
1618
    ClientRpcChannelBuffer_GetBuffer,
1619
    ClientRpcChannelBuffer_SendReceive,
1620
    ClientRpcChannelBuffer_FreeBuffer,
1621
    ClientRpcChannelBuffer_GetDestCtx,
1622
    RpcChannelBuffer_IsConnected
1623
};
1624

1625
static const IRpcChannelBufferVtbl ServerRpcChannelBufferVtbl =
1626
{
1627
    RpcChannelBuffer_QueryInterface,
1628
    RpcChannelBuffer_AddRef,
1629
    ServerRpcChannelBuffer_Release,
1630
    ServerRpcChannelBuffer_GetBuffer,
1631
    ServerRpcChannelBuffer_SendReceive,
1632
    ServerRpcChannelBuffer_FreeBuffer,
1633
    ServerRpcChannelBuffer_GetDestCtx,
1634
    RpcChannelBuffer_IsConnected
1635
};
1636

1637
/* returns a channel buffer for proxies */
1638
HRESULT rpc_create_clientchannel(const OXID *oxid, const IPID *ipid,
1639
                                const OXID_INFO *oxid_info, const IID *iid,
1640
                                DWORD dest_context, void *dest_context_data,
1641
                                IRpcChannelBuffer **chan, struct apartment *apt)
1642
{
1643
    ClientRpcChannelBuffer *This;
1644
    WCHAR                   endpoint[200];
1645
    RPC_BINDING_HANDLE      bind;
1646
    RPC_STATUS              status;
1647
    LPWSTR                  string_binding;
1648

1649
    /* FIXME: get the endpoint from oxid_info->psa instead */
1650
    get_rpc_endpoint(endpoint, oxid);
1651

1652
    TRACE("proxy pipe: connecting to endpoint: %s\n", debugstr_w(endpoint));
1653

1654
    status = RpcStringBindingComposeW(
1655
        NULL,
1656
        rpctransportW,
1657
        NULL,
1658
        endpoint,
1659
        NULL,
1660
        &string_binding);
1661

1662
    if (status == RPC_S_OK)
1663
    {
1664
        status = RpcBindingFromStringBindingW(string_binding, &bind);
1665

1666
        if (status == RPC_S_OK)
1667
        {
1668
            IPID ipid2 = *ipid; /* why can't RpcBindingSetObject take a const? */
1669
            status = RpcBindingSetObject(bind, &ipid2);
1670
            if (status != RPC_S_OK)
1671
                RpcBindingFree(&bind);
1672
        }
1673

1674
        RpcStringFreeW(&string_binding);
1675
    }
1676

1677
    if (status != RPC_S_OK)
1678
    {
1679
        ERR("Couldn't get binding for endpoint %s, status = %ld\n", debugstr_w(endpoint), status);
1680
        return HRESULT_FROM_WIN32(status);
1681
    }
1682

1683
    This = malloc(sizeof(*This));
1684
    if (!This)
1685
    {
1686
        RpcBindingFree(&bind);
1687
        return E_OUTOFMEMORY;
1688
    }
1689

1690
    This->super.IRpcChannelBuffer_iface.lpVtbl = &ClientRpcChannelBufferVtbl;
1691
    This->super.refs = 1;
1692
    This->super.dest_context = dest_context;
1693
    This->super.dest_context_data = dest_context_data;
1694
    This->bind = bind;
1695
    This->oxid = apartment_getoxid(apt);
1696
    This->server_pid = oxid_info->dwPid;
1697
    This->event = NULL;
1698
    This->iid = *iid;
1699

1700
    *chan = &This->super.IRpcChannelBuffer_iface;
1701

1702
    return S_OK;
1703
}
1704

1705
HRESULT rpc_create_serverchannel(DWORD dest_context, void *dest_context_data, IRpcChannelBuffer **chan)
1706
{
1707
    RpcChannelBuffer *This = malloc(sizeof(*This));
1708
    if (!This)
1709
        return E_OUTOFMEMORY;
1710

1711
    This->IRpcChannelBuffer_iface.lpVtbl = &ServerRpcChannelBufferVtbl;
1712
    This->refs = 1;
1713
    This->dest_context = dest_context;
1714
    This->dest_context_data = dest_context_data;
1715

1716
    *chan = &This->IRpcChannelBuffer_iface;
1717

1718
    return S_OK;
1719
}
1720

1721
/* unmarshals ORPC_EXTENT_ARRAY according to NDR rules, but doesn't allocate
1722
 * any memory */
1723
static HRESULT unmarshal_ORPC_EXTENT_ARRAY(RPC_MESSAGE *msg, const char *end,
1724
                                           ORPC_EXTENT_ARRAY *extensions,
1725
                                           WIRE_ORPC_EXTENT **first_wire_orpc_extent)
1726
{
1727
    DWORD pointer_id;
1728
    DWORD i;
1729

1730
    memcpy(extensions, msg->Buffer, FIELD_OFFSET(WIRE_ORPC_EXTENT_ARRAY, extent));
1731
    msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPC_EXTENT_ARRAY, extent);
1732

1733
    if ((const char *)msg->Buffer + 2 * sizeof(DWORD) > end)
1734
        return RPC_E_INVALID_HEADER;
1735

1736
    pointer_id = *(DWORD *)msg->Buffer;
1737
    msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1738
    extensions->extent = NULL;
1739

1740
    if (pointer_id)
1741
    {
1742
        WIRE_ORPC_EXTENT *wire_orpc_extent;
1743

1744
        /* conformance */
1745
        if (*(DWORD *)msg->Buffer != ((extensions->size+1)&~1))
1746
            return RPC_S_INVALID_BOUND;
1747

1748
        msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1749

1750
        /* arbitrary limit for security (don't know what native does) */
1751
        if (extensions->size > 256)
1752
        {
1753
            ERR("too many extensions: %ld\n", extensions->size);
1754
            return RPC_S_INVALID_BOUND;
1755
        }
1756

1757
        *first_wire_orpc_extent = wire_orpc_extent = msg->Buffer;
1758
        for (i = 0; i < ((extensions->size+1)&~1); i++)
1759
        {
1760
            if ((const char *)&wire_orpc_extent->data[0] > end)
1761
                return RPC_S_INVALID_BOUND;
1762
            if (wire_orpc_extent->conformance != ((wire_orpc_extent->size+7)&~7))
1763
                return RPC_S_INVALID_BOUND;
1764
            if ((const char *)&wire_orpc_extent->data[wire_orpc_extent->conformance] > end)
1765
                return RPC_S_INVALID_BOUND;
1766
            TRACE("size %lu, guid %s\n", wire_orpc_extent->size, debugstr_guid(&wire_orpc_extent->id));
1767
            wire_orpc_extent = (WIRE_ORPC_EXTENT *)&wire_orpc_extent->data[wire_orpc_extent->conformance];
1768
        }
1769
        msg->Buffer = wire_orpc_extent;
1770
    }
1771

1772
    return S_OK;
1773
}
1774

1775
/* unmarshals ORPCTHIS according to NDR rules, but doesn't allocate any memory */
1776
static HRESULT unmarshal_ORPCTHIS(RPC_MESSAGE *msg, ORPCTHIS *orpcthis,
1777
    ORPC_EXTENT_ARRAY *orpc_ext_array, WIRE_ORPC_EXTENT **first_wire_orpc_extent)
1778
{
1779
    const char *end = (char *)msg->Buffer + msg->BufferLength;
1780

1781
    *first_wire_orpc_extent = NULL;
1782

1783
    if (msg->BufferLength < FIELD_OFFSET(WIRE_ORPCTHIS, extensions) + sizeof(DWORD))
1784
    {
1785
        ERR("invalid buffer length\n");
1786
        return RPC_E_INVALID_HEADER;
1787
    }
1788

1789
    memcpy(orpcthis, msg->Buffer, FIELD_OFFSET(WIRE_ORPCTHIS, extensions));
1790
    msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPCTHIS, extensions);
1791

1792
    if ((const char *)msg->Buffer + sizeof(DWORD) > end)
1793
        return RPC_E_INVALID_HEADER;
1794

1795
    if (*(DWORD *)msg->Buffer)
1796
        orpcthis->extensions = orpc_ext_array;
1797
    else
1798
        orpcthis->extensions = NULL;
1799

1800
    msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1801

1802
    if (orpcthis->extensions)
1803
    {
1804
        HRESULT hr = unmarshal_ORPC_EXTENT_ARRAY(msg, end, orpc_ext_array,
1805
                                                 first_wire_orpc_extent);
1806
        if (FAILED(hr))
1807
            return hr;
1808
    }
1809

1810
    if ((orpcthis->version.MajorVersion != COM_MAJOR_VERSION) ||
1811
        (orpcthis->version.MinorVersion > COM_MINOR_VERSION))
1812
    {
1813
        ERR("COM version {%d, %d} not supported\n",
1814
            orpcthis->version.MajorVersion, orpcthis->version.MinorVersion);
1815
        return RPC_E_VERSION_MISMATCH;
1816
    }
1817

1818
    if (orpcthis->flags & ~(ORPCF_LOCAL|ORPCF_RESERVED1|ORPCF_RESERVED2|ORPCF_RESERVED3|ORPCF_RESERVED4))
1819
    {
1820
        ERR("invalid flags %#lx\n", orpcthis->flags & ~(ORPCF_LOCAL|ORPCF_RESERVED1|ORPCF_RESERVED2|ORPCF_RESERVED3|ORPCF_RESERVED4));
1821
        return RPC_E_INVALID_HEADER;
1822
    }
1823

1824
    return S_OK;
1825
}
1826

1827
static HRESULT unmarshal_ORPCTHAT(RPC_MESSAGE *msg, ORPCTHAT *orpcthat,
1828
                                  ORPC_EXTENT_ARRAY *orpc_ext_array, WIRE_ORPC_EXTENT **first_wire_orpc_extent)
1829
{
1830
    const char *end = (char *)msg->Buffer + msg->BufferLength;
1831

1832
    *first_wire_orpc_extent = NULL;
1833

1834
    if (msg->BufferLength < FIELD_OFFSET(WIRE_ORPCTHAT, extensions) + sizeof(DWORD))
1835
    {
1836
        ERR("invalid buffer length\n");
1837
        return RPC_E_INVALID_HEADER;
1838
    }
1839

1840
    memcpy(orpcthat, msg->Buffer, FIELD_OFFSET(WIRE_ORPCTHAT, extensions));
1841
    msg->Buffer = (char *)msg->Buffer + FIELD_OFFSET(WIRE_ORPCTHAT, extensions);
1842

1843
    if ((const char *)msg->Buffer + sizeof(DWORD) > end)
1844
        return RPC_E_INVALID_HEADER;
1845

1846
    if (*(DWORD *)msg->Buffer)
1847
        orpcthat->extensions = orpc_ext_array;
1848
    else
1849
        orpcthat->extensions = NULL;
1850

1851
    msg->Buffer = (char *)msg->Buffer + sizeof(DWORD);
1852

1853
    if (orpcthat->extensions)
1854
    {
1855
        HRESULT hr = unmarshal_ORPC_EXTENT_ARRAY(msg, end, orpc_ext_array,
1856
                                                 first_wire_orpc_extent);
1857
        if (FAILED(hr))
1858
            return hr;
1859
    }
1860

1861
    if (orpcthat->flags & ~(ORPCF_LOCAL|ORPCF_RESERVED1|ORPCF_RESERVED2|ORPCF_RESERVED3|ORPCF_RESERVED4))
1862
    {
1863
        ERR("invalid flags %#lx\n", orpcthat->flags & ~(ORPCF_LOCAL|ORPCF_RESERVED1|ORPCF_RESERVED2|ORPCF_RESERVED3|ORPCF_RESERVED4));
1864
        return RPC_E_INVALID_HEADER;
1865
    }
1866

1867
    return S_OK;
1868
}
1869

1870
void rpc_execute_call(struct dispatch_params *params)
1871
{
1872
    struct message_state *message_state = NULL;
1873
    RPC_MESSAGE *msg = (RPC_MESSAGE *)params->msg;
1874
    char *original_buffer = msg->Buffer;
1875
    ORPCTHIS orpcthis;
1876
    ORPC_EXTENT_ARRAY orpc_ext_array;
1877
    WIRE_ORPC_EXTENT *first_wire_orpc_extent;
1878
    GUID old_causality_id;
1879
    struct tlsdata *tlsdata;
1880
    struct apartment *apt;
1881

1882
    if (FAILED(com_get_tlsdata(&tlsdata)))
1883
        return;
1884

1885
    apt = com_get_current_apt();
1886

1887
    /* handle ORPCTHIS and server extensions */
1888

1889
    params->hr = unmarshal_ORPCTHIS(msg, &orpcthis, &orpc_ext_array, &first_wire_orpc_extent);
1890
    if (params->hr != S_OK)
1891
    {
1892
        msg->Buffer = original_buffer;
1893
        goto exit;
1894
    }
1895

1896
    message_state = malloc(sizeof(*message_state));
1897
    if (!message_state)
1898
    {
1899
        params->hr = E_OUTOFMEMORY;
1900
        msg->Buffer = original_buffer;
1901
        goto exit;
1902
    }
1903

1904
    message_state->prefix_data_len = (char *)msg->Buffer - original_buffer;
1905
    message_state->binding_handle = msg->Handle;
1906
    message_state->bypass_rpcrt = params->bypass_rpcrt;
1907

1908
    message_state->channel_hook_info.iid = params->iid;
1909
    message_state->channel_hook_info.cbSize = sizeof(message_state->channel_hook_info);
1910
    message_state->channel_hook_info.uCausality = orpcthis.cid;
1911
    message_state->channel_hook_info.dwServerPid = GetCurrentProcessId();
1912
    message_state->channel_hook_info.iMethod = msg->ProcNum;
1913
    message_state->channel_hook_info.pObject = params->iface;
1914

1915
    if (orpcthis.extensions && first_wire_orpc_extent &&
1916
        orpcthis.extensions->size)
1917
        ChannelHooks_ServerNotify(&message_state->channel_hook_info, msg->DataRepresentation, first_wire_orpc_extent, orpcthis.extensions->size);
1918

1919
    msg->Handle = message_state;
1920
    msg->BufferLength -= message_state->prefix_data_len;
1921

1922
    /* call message filter */
1923

1924
    if (apt->filter)
1925
    {
1926
        DWORD handlecall;
1927
        INTERFACEINFO interface_info;
1928
        CALLTYPE calltype;
1929

1930
        interface_info.pUnk = params->iface;
1931
        interface_info.iid = params->iid;
1932
        interface_info.wMethod = msg->ProcNum;
1933

1934
        if (IsEqualGUID(&orpcthis.cid, &tlsdata->causality_id))
1935
            calltype = CALLTYPE_NESTED;
1936
        else if (tlsdata->pending_call_count_server == 0)
1937
            calltype = CALLTYPE_TOPLEVEL;
1938
        else
1939
            calltype = CALLTYPE_TOPLEVEL_CALLPENDING;
1940

1941
        handlecall = IMessageFilter_HandleInComingCall(apt->filter,
1942
                                                       calltype,
1943
                                                       UlongToHandle(GetCurrentProcessId()),
1944
                                                       0 /* FIXME */,
1945
                                                       &interface_info);
1946
        TRACE("IMessageFilter_HandleInComingCall returned %ld\n", handlecall);
1947
        switch (handlecall)
1948
        {
1949
        case SERVERCALL_REJECTED:
1950
            params->hr = RPC_E_CALL_REJECTED;
1951
            goto exit_reset_state;
1952
        case SERVERCALL_RETRYLATER:
1953
#if 0 /* FIXME: handle retries on the client side before enabling this code */
1954
            params->hr = RPC_E_RETRY;
1955
            goto exit_reset_state;
1956
#else
1957
            FIXME("retry call later not implemented\n");
1958
            break;
1959
#endif
1960
        case SERVERCALL_ISHANDLED:
1961
        default:
1962
            break;
1963
        }
1964
    }
1965

1966
    /* invoke the method */
1967

1968
    /* save the old causality ID - note: any calls executed while processing
1969
     * messages received during the SendReceive will appear to originate from
1970
     * this call - this should be checked with what Windows does */
1971
    old_causality_id = tlsdata->causality_id;
1972
    tlsdata->causality_id = orpcthis.cid;
1973
    tlsdata->pending_call_count_server++;
1974
    params->hr = IRpcStubBuffer_Invoke(params->stub, params->msg, params->chan);
1975
    tlsdata->pending_call_count_server--;
1976
    tlsdata->causality_id = old_causality_id;
1977

1978
    /* the invoke allocated a new buffer, so free the old one */
1979
    if (message_state->bypass_rpcrt && original_buffer != msg->Buffer)
1980
        free(original_buffer);
1981

1982
exit_reset_state:
1983
    message_state = msg->Handle;
1984
    msg->Handle = message_state->binding_handle;
1985
    msg->Buffer = (char *)msg->Buffer - message_state->prefix_data_len;
1986
    msg->BufferLength += message_state->prefix_data_len;
1987

1988
exit:
1989
    free(message_state);
1990
    if (params->handle) SetEvent(params->handle);
1991
}
1992

1993
static void __RPC_STUB dispatch_rpc(RPC_MESSAGE *msg)
1994
{
1995
    struct dispatch_params *params;
1996
    struct stub_manager *stub_manager;
1997
    struct apartment *apt;
1998
    IPID ipid;
1999
    HRESULT hr;
2000

2001
    RpcBindingInqObject(msg->Handle, &ipid);
2002

2003
    TRACE("ipid = %s, iMethod = %d\n", debugstr_guid(&ipid), msg->ProcNum);
2004

2005
    params = malloc(sizeof(*params));
2006
    if (!params)
2007
    {
2008
        RpcRaiseException(E_OUTOFMEMORY);
2009
        return;
2010
    }
2011

2012
    hr = ipid_get_dispatch_params(&ipid, &apt, &stub_manager, &params->stub, &params->chan,
2013
                                  &params->iid, &params->iface);
2014
    if (hr != S_OK)
2015
    {
2016
        ERR("no apartment found for ipid %s\n", debugstr_guid(&ipid));
2017
        free(params);
2018
        RpcRaiseException(hr);
2019
        return;
2020
    }
2021

2022
    params->msg = (RPCOLEMESSAGE *)msg;
2023
    params->status = RPC_S_OK;
2024
    params->hr = S_OK;
2025
    params->handle = NULL;
2026
    params->bypass_rpcrt = FALSE;
2027

2028
    /* Note: this is the important difference between STAs and MTAs - we
2029
     * always execute RPCs to STAs in the thread that originally created the
2030
     * apartment (i.e. the one that pumps messages to the window) */
2031
    if (!apt->multi_threaded)
2032
    {
2033
        params->handle = CreateEventW(NULL, FALSE, FALSE, NULL);
2034

2035
        TRACE("Calling apartment thread %#lx...\n", apt->tid);
2036

2037
        if (PostMessageW(apartment_getwindow(apt), DM_EXECUTERPC, 0, (LPARAM)params))
2038
            WaitForSingleObject(params->handle, INFINITE);
2039
        else
2040
        {
2041
            ERR("PostMessage failed with error %lu\n", GetLastError());
2042
            IRpcChannelBuffer_Release(params->chan);
2043
            IRpcStubBuffer_Release(params->stub);
2044
        }
2045
        CloseHandle(params->handle);
2046
    }
2047
    else
2048
    {
2049
        BOOL joined = FALSE;
2050
        struct tlsdata *tlsdata;
2051

2052
        com_get_tlsdata(&tlsdata);
2053

2054
        if (!tlsdata->apt)
2055
        {
2056
            enter_apartment(tlsdata, COINIT_MULTITHREADED);
2057
            joined = TRUE;
2058
        }
2059
        rpc_execute_call(params);
2060
        if (joined)
2061
        {
2062
            leave_apartment(tlsdata);
2063
        }
2064
    }
2065

2066
    hr = params->hr;
2067
    if (params->chan)
2068
        IRpcChannelBuffer_Release(params->chan);
2069
    if (params->stub)
2070
        IRpcStubBuffer_Release(params->stub);
2071
    free(params);
2072

2073
    stub_manager_int_release(stub_manager);
2074
    apartment_release(apt);
2075

2076
    /* if IRpcStubBuffer_Invoke fails, we should raise an exception to tell
2077
     * the RPC runtime that the call failed */
2078
    if (hr != S_OK) RpcRaiseException(hr);
2079
}
2080

2081
/* stub registration */
2082
HRESULT rpc_register_interface(REFIID riid)
2083
{
2084
    struct registered_if *rif;
2085
    BOOL found = FALSE;
2086
    HRESULT hr = S_OK;
2087

2088
    TRACE("(%s)\n", debugstr_guid(riid));
2089

2090
    EnterCriticalSection(&csRegIf);
2091
    LIST_FOR_EACH_ENTRY(rif, &registered_interfaces, struct registered_if, entry)
2092
    {
2093
        if (IsEqualGUID(&rif->If.InterfaceId.SyntaxGUID, riid))
2094
        {
2095
            rif->refs++;
2096
            found = TRUE;
2097
            break;
2098
        }
2099
    }
2100
    if (!found)
2101
    {
2102
        TRACE("Creating new interface\n");
2103

2104
        rif = calloc(1, sizeof(*rif));
2105
        if (rif)
2106
        {
2107
            RPC_STATUS status;
2108

2109
            rif->refs = 1;
2110
            rif->If.Length = sizeof(RPC_SERVER_INTERFACE);
2111
            /* RPC interface ID = COM interface ID */
2112
            rif->If.InterfaceId.SyntaxGUID = *riid;
2113
            rif->If.DispatchTable = &rpc_dispatch;
2114
            /* all other fields are 0, including the version asCOM objects
2115
             * always have a version of 0.0 */
2116
            status = RpcServerRegisterIfEx(
2117
                (RPC_IF_HANDLE)&rif->If,
2118
                NULL, NULL,
2119
                RPC_IF_OLE | RPC_IF_AUTOLISTEN,
2120
                RPC_C_LISTEN_MAX_CALLS_DEFAULT,
2121
                NULL);
2122
            if (status == RPC_S_OK)
2123
                list_add_tail(&registered_interfaces, &rif->entry);
2124
            else
2125
            {
2126
                ERR("RpcServerRegisterIfEx failed with error %ld\n", status);
2127
                free(rif);
2128
                hr = HRESULT_FROM_WIN32(status);
2129
            }
2130
        }
2131
        else
2132
            hr = E_OUTOFMEMORY;
2133
    }
2134
    LeaveCriticalSection(&csRegIf);
2135
    return hr;
2136
}
2137

2138
/* stub unregistration */
2139
void rpc_unregister_interface(REFIID riid, BOOL wait)
2140
{
2141
    struct registered_if *rif;
2142
    EnterCriticalSection(&csRegIf);
2143
    LIST_FOR_EACH_ENTRY(rif, &registered_interfaces, struct registered_if, entry)
2144
    {
2145
        if (IsEqualGUID(&rif->If.InterfaceId.SyntaxGUID, riid))
2146
        {
2147
            if (!--rif->refs)
2148
            {
2149
                RpcServerUnregisterIf((RPC_IF_HANDLE)&rif->If, NULL, wait);
2150
                list_remove(&rif->entry);
2151
                free(rif);
2152
            }
2153
            break;
2154
        }
2155
    }
2156
    LeaveCriticalSection(&csRegIf);
2157
}
2158

2159
/* get the info for an OXID, including the IPID for the rem unknown interface
2160
 * and the string binding */
2161
HRESULT rpc_resolve_oxid(OXID oxid, OXID_INFO *oxid_info)
2162
{
2163
    TRACE("%s\n", wine_dbgstr_longlong(oxid));
2164

2165
    oxid_info->dwTid = 0;
2166
    oxid_info->dwPid = 0;
2167
    oxid_info->dwAuthnHint = RPC_C_AUTHN_LEVEL_NONE;
2168
    /* FIXME: this is a hack around not having an OXID resolver yet -
2169
     * this function should contact the machine's OXID resolver and then it
2170
     * should give us the IPID of the IRemUnknown interface */
2171
    oxid_info->ipidRemUnknown.Data1 = 0xffffffff;
2172
    oxid_info->ipidRemUnknown.Data2 = 0xffff;
2173
    oxid_info->ipidRemUnknown.Data3 = 0xffff;
2174
    memcpy(oxid_info->ipidRemUnknown.Data4, &oxid, sizeof(OXID));
2175
    oxid_info->psa = NULL /* FIXME */;
2176

2177
    return S_OK;
2178
}
2179

2180
/* make the apartment reachable by other threads and processes and create the
2181
 * IRemUnknown object */
2182
void rpc_start_remoting(struct apartment *apt)
2183
{
2184
    if (!InterlockedExchange(&apt->remoting_started, TRUE))
2185
    {
2186
        WCHAR endpoint[200];
2187
        RPC_STATUS status;
2188

2189
        get_rpc_endpoint(endpoint, &apt->oxid);
2190

2191
        status = RpcServerUseProtseqEpW(
2192
            rpctransportW,
2193
            RPC_C_PROTSEQ_MAX_REQS_DEFAULT,
2194
            endpoint,
2195
            NULL);
2196
        if (status != RPC_S_OK)
2197
            ERR("Couldn't register endpoint %s\n", debugstr_w(endpoint));
2198

2199
        /* FIXME: move remote unknown exporting into this function */
2200
    }
2201
    start_apartment_remote_unknown(apt);
2202
}
2203

2204
/******************************************************************************
2205
 *            DllDebugObjectRPCHook    (combase.@)
2206
 */
2207
BOOL WINAPI DllDebugObjectRPCHook(BOOL trace, /* ORPC_INIT_ARGS * */ void *args)
2208
{
2209
    FIXME("%d, %p: stub\n", trace, args);
2210

2211
    return TRUE;
2212
}
2213

2214
/******************************************************************************
2215
 *            CoDecodeProxy    (combase.@)
2216
 */
2217
HRESULT WINAPI CoDecodeProxy(DWORD client_pid, UINT64 proxy_addr, ServerInformation *server_info)
2218
{
2219
    FIXME("%lx, %s, %p.\n", client_pid, wine_dbgstr_longlong(proxy_addr), server_info);
2220
    return E_NOTIMPL;
2221
}
2222

2223