[NTOS:SE] Fix new dynamic length calculation in TokenPrimaryGroup case

Not only primary group assignation was broken but new dynamic length calculation is also broken. The length of the captured SID is not taken into account so the new dynamic length gets only the size of the default ACL present in an access token. Therefore, the condition is always FALSE and the code never jumps to the STATUS_ALLOTTED_SPACE_EXCEEDED branch because the length will always be small than the charged dynamic length. Addendum to 86bde3c.
2024-12-28 01:55:19 +00:00 · 2022-08-16 20:27:27 +02:00 · 2022-08-16 20:27:27 +02:00 · 3b00f98b94
commit 3b00f98b94
parent 3bd822366c
1 changed files with 2 additions and 3 deletions
--- a/ntoskrnl/se/tokencls.c
+++ b/ntoskrnl/se/tokencls.c
@ -1259,8 +1259,8 @@ NtSetInformationToken(
                         * to do so. Exceeding this boundary and we're
                         * busted out.
                         */
-                        NewDynamicLength = RtlLengthSid(CapturedSid) +
-                                           Token->DefaultDacl ? Token->DefaultDacl->AclSize : 0;
+                        AclSize = Token->DefaultDacl ? Token->DefaultDacl->AclSize : 0;
+                        NewDynamicLength = RtlLengthSid(CapturedSid) + AclSize;
                        if (NewDynamicLength > Token->DynamicCharged)
                        {
                            SepReleaseTokenLock(Token);
@ -1317,7 +1317,6 @@ NtSetInformationToken(
                                 * has a default DACL then add up its size with
                                 * the address of the dynamic part.
                                 */
-                                AclSize = Token->DefaultDacl ? Token->DefaultDacl->AclSize : 0;
                                PrimaryGroup = (ULONG_PTR)(Token->DynamicPart) + AclSize;
                                RtlCopySid(RtlLengthSid(Token->UserAndGroups[PrimaryGroupIndex].Sid),
                                           (PVOID)PrimaryGroup,