Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-03 17:25:55 +00:00
Code Issues Projects Releases Packages Wiki Activity

securely access buffers in NtImpersonateThread()

Browse source 
svn path=/trunk/; revision=13355
This commit is contained in:
Thomas Bluemel 2005-01-28 20:48:43 +00:00
parent 87e189fd31
commit 5149504971
1 changed files with 60 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

59
reactos/ntoskrnl/ps/create.c
View file

@ -177,56 +177,73 @@ NtImpersonateThread(IN HANDLE ThreadHandle,
IN HANDLE ThreadToImpersonateHandle, IN HANDLE ThreadToImpersonateHandle,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService) IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
{ {
SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
SECURITY_CLIENT_CONTEXT ClientContext; SECURITY_CLIENT_CONTEXT ClientContext;
PETHREAD Thread; PETHREAD Thread;
PETHREAD ThreadToImpersonate; PETHREAD ThreadToImpersonate;
NTSTATUS Status; KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
PreviousMode = ExGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForRead(SecurityQualityOfService,
sizeof(SECURITY_QUALITY_OF_SERVICE),
sizeof(ULONG));
SafeServiceQoS = *SecurityQualityOfService;
SecurityQualityOfService = &SafeServiceQoS;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
Status = ObReferenceObjectByHandle(ThreadHandle, Status = ObReferenceObjectByHandle(ThreadHandle,
0, THREAD_IMPERSONATE,
PsThreadType, PsThreadType,
UserMode, PreviousMode,
(PVOID*)&Thread, (PVOID*)&Thread,
NULL); NULL);
if (!NT_SUCCESS (Status)) if(NT_SUCCESS(Status))
{ {
return Status;
}
Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle, Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
0, THREAD_DIRECT_IMPERSONATION,
PsThreadType, PsThreadType,
UserMode, PreviousMode,
(PVOID*)&ThreadToImpersonate, (PVOID*)&ThreadToImpersonate,
NULL); NULL);
if (!NT_SUCCESS(Status)) if(NT_SUCCESS(Status))
{ {
ObDereferenceObject (Thread);
return Status;
}
Status = SeCreateClientSecurity(ThreadToImpersonate, Status = SeCreateClientSecurity(ThreadToImpersonate,
SecurityQualityOfService, SecurityQualityOfService,
0, 0,
&ClientContext); &ClientContext);
if (!NT_SUCCESS(Status)) if(NT_SUCCESS(Status))
{ {
ObDereferenceObject (ThreadToImpersonate);
ObDereferenceObject (Thread);
return Status;
}
SeImpersonateClient(&ClientContext, SeImpersonateClient(&ClientContext,
Thread); Thread);
if(ClientContext.ClientToken != NULL) if(ClientContext.ClientToken != NULL)
{ {
ObDereferenceObject (ClientContext.ClientToken); ObDereferenceObject (ClientContext.ClientToken);
} }
}
ObDereferenceObject(ThreadToImpersonate); ObDereferenceObject(ThreadToImpersonate);
}
ObDereferenceObject(Thread); ObDereferenceObject(Thread);
}
return STATUS_SUCCESS; return Status;
} }
/* /*