mirror of
https://github.com/reactos/reactos.git
synced 2025-08-06 10:12:58 +00:00
securely access buffers in NtImpersonateThread()
svn path=/trunk/; revision=13355
This commit is contained in:
Thomas Bluemel
parent
87e189fd31
commit
5149504971
1 changed files with 60 additions and 43 deletions
|
|
@ -177,56 +177,73 @@ NtImpersonateThread(IN HANDLE ThreadHandle,
|
||||||
IN HANDLE ThreadToImpersonateHandle,
|
IN HANDLE ThreadToImpersonateHandle,
|
||||||
IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
|
IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
|
||||||
{
|
{
|
||||||
|
SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
|
||||||
SECURITY_CLIENT_CONTEXT ClientContext;
|
SECURITY_CLIENT_CONTEXT ClientContext;
|
||||||
PETHREAD Thread;
|
PETHREAD Thread;
|
||||||
PETHREAD ThreadToImpersonate;
|
PETHREAD ThreadToImpersonate;
|
||||||
NTSTATUS Status;
|
KPROCESSOR_MODE PreviousMode;
|
||||||
|
NTSTATUS Status = STATUS_SUCCESS;
|
||||||
|
|
||||||
Status = ObReferenceObjectByHandle (ThreadHandle,
|
PreviousMode = ExGetPreviousMode();
|
||||||
0,
|
|
||||||
|
if(PreviousMode != KernelMode)
|
||||||
|
{
|
||||||
|
_SEH_TRY
|
||||||
|
{
|
||||||
|
ProbeForRead(SecurityQualityOfService,
|
||||||
|
sizeof(SECURITY_QUALITY_OF_SERVICE),
|
||||||
|
sizeof(ULONG));
|
||||||
|
SafeServiceQoS = *SecurityQualityOfService;
|
||||||
|
SecurityQualityOfService = &SafeServiceQoS;
|
||||||
|
}
|
||||||
|
_SEH_HANDLE
|
||||||
|
{
|
||||||
|
Status = _SEH_GetExceptionCode();
|
||||||
|
}
|
||||||
|
_SEH_END;
|
||||||
|
|
||||||
|
if(!NT_SUCCESS(Status))
|
||||||
|
{
|
||||||
|
return Status;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Status = ObReferenceObjectByHandle(ThreadHandle,
|
||||||
|
THREAD_IMPERSONATE,
|
||||||
PsThreadType,
|
PsThreadType,
|
||||||
UserMode,
|
PreviousMode,
|
||||||
(PVOID*)&Thread,
|
(PVOID*)&Thread,
|
||||||
NULL);
|
NULL);
|
||||||
if (!NT_SUCCESS (Status))
|
if(NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
return Status;
|
Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
|
||||||
}
|
THREAD_DIRECT_IMPERSONATION,
|
||||||
|
|
||||||
Status = ObReferenceObjectByHandle (ThreadToImpersonateHandle,
|
|
||||||
0,
|
|
||||||
PsThreadType,
|
PsThreadType,
|
||||||
UserMode,
|
PreviousMode,
|
||||||
(PVOID*)&ThreadToImpersonate,
|
(PVOID*)&ThreadToImpersonate,
|
||||||
NULL);
|
NULL);
|
||||||
if (!NT_SUCCESS(Status))
|
if(NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
ObDereferenceObject (Thread);
|
Status = SeCreateClientSecurity(ThreadToImpersonate,
|
||||||
return Status;
|
|
||||||
}
|
|
||||||
|
|
||||||
Status = SeCreateClientSecurity (ThreadToImpersonate,
|
|
||||||
SecurityQualityOfService,
|
SecurityQualityOfService,
|
||||||
0,
|
0,
|
||||||
&ClientContext);
|
&ClientContext);
|
||||||
if (!NT_SUCCESS(Status))
|
if(NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
ObDereferenceObject (ThreadToImpersonate);
|
SeImpersonateClient(&ClientContext,
|
||||||
ObDereferenceObject (Thread);
|
|
||||||
return Status;
|
|
||||||
}
|
|
||||||
|
|
||||||
SeImpersonateClient (&ClientContext,
|
|
||||||
Thread);
|
Thread);
|
||||||
if (ClientContext.ClientToken != NULL)
|
if(ClientContext.ClientToken != NULL)
|
||||||
{
|
{
|
||||||
ObDereferenceObject (ClientContext.ClientToken);
|
ObDereferenceObject (ClientContext.ClientToken);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ObDereferenceObject (ThreadToImpersonate);
|
ObDereferenceObject(ThreadToImpersonate);
|
||||||
ObDereferenceObject (Thread);
|
}
|
||||||
|
ObDereferenceObject(Thread);
|
||||||
|
}
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue