mirror of
https://github.com/reactos/reactos.git
synced 2024-10-04 16:36:11 +00:00
securely access buffers in NtImpersonateThread()
svn path=/trunk/; revision=13355
This commit is contained in:
parent
87e189fd31
commit
5149504971
|
@ -177,56 +177,73 @@ NtImpersonateThread(IN HANDLE ThreadHandle,
|
|||
IN HANDLE ThreadToImpersonateHandle,
|
||||
IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
|
||||
{
|
||||
SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
|
||||
SECURITY_CLIENT_CONTEXT ClientContext;
|
||||
PETHREAD Thread;
|
||||
PETHREAD ThreadToImpersonate;
|
||||
NTSTATUS Status;
|
||||
KPROCESSOR_MODE PreviousMode;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
|
||||
PreviousMode = ExGetPreviousMode();
|
||||
|
||||
if(PreviousMode != KernelMode)
|
||||
{
|
||||
_SEH_TRY
|
||||
{
|
||||
ProbeForRead(SecurityQualityOfService,
|
||||
sizeof(SECURITY_QUALITY_OF_SERVICE),
|
||||
sizeof(ULONG));
|
||||
SafeServiceQoS = *SecurityQualityOfService;
|
||||
SecurityQualityOfService = &SafeServiceQoS;
|
||||
}
|
||||
_SEH_HANDLE
|
||||
{
|
||||
Status = _SEH_GetExceptionCode();
|
||||
}
|
||||
_SEH_END;
|
||||
|
||||
if(!NT_SUCCESS(Status))
|
||||
{
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
Status = ObReferenceObjectByHandle(ThreadHandle,
|
||||
0,
|
||||
THREAD_IMPERSONATE,
|
||||
PsThreadType,
|
||||
UserMode,
|
||||
PreviousMode,
|
||||
(PVOID*)&Thread,
|
||||
NULL);
|
||||
if (!NT_SUCCESS (Status))
|
||||
if(NT_SUCCESS(Status))
|
||||
{
|
||||
return Status;
|
||||
}
|
||||
|
||||
Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
|
||||
0,
|
||||
THREAD_DIRECT_IMPERSONATION,
|
||||
PsThreadType,
|
||||
UserMode,
|
||||
PreviousMode,
|
||||
(PVOID*)&ThreadToImpersonate,
|
||||
NULL);
|
||||
if (!NT_SUCCESS(Status))
|
||||
if(NT_SUCCESS(Status))
|
||||
{
|
||||
ObDereferenceObject (Thread);
|
||||
return Status;
|
||||
}
|
||||
|
||||
Status = SeCreateClientSecurity(ThreadToImpersonate,
|
||||
SecurityQualityOfService,
|
||||
0,
|
||||
&ClientContext);
|
||||
if (!NT_SUCCESS(Status))
|
||||
if(NT_SUCCESS(Status))
|
||||
{
|
||||
ObDereferenceObject (ThreadToImpersonate);
|
||||
ObDereferenceObject (Thread);
|
||||
return Status;
|
||||
}
|
||||
|
||||
SeImpersonateClient(&ClientContext,
|
||||
Thread);
|
||||
if(ClientContext.ClientToken != NULL)
|
||||
{
|
||||
ObDereferenceObject (ClientContext.ClientToken);
|
||||
}
|
||||
}
|
||||
|
||||
ObDereferenceObject(ThreadToImpersonate);
|
||||
}
|
||||
ObDereferenceObject(Thread);
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
return Status;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in a new issue