Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-24 01:15:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

fixed wrong buffer check in NtDuplicateToken and added buffer checks in NtOpenThreadTokenEx

Browse source 
svn path=/trunk/; revision=13541
This commit is contained in:
Thomas Bluemel 2005-02-13 22:00:36 +00:00
parent e63c27b419
commit 52cb066916
1 changed files with 79 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

120
reactos/ntoskrnl/se/token.c
View file

@ -137,27 +137,6 @@ SepDuplicateToken(PTOKEN Token,
PTOKEN AccessToken; PTOKEN AccessToken;
NTSTATUS Status; NTSTATUS Status;
if(PreviousMode != KernelMode)
{
Status = STATUS_SUCCESS;
_SEH_TRY
{
ProbeForWrite(NewAccessToken,
sizeof(TOKEN),
sizeof(ULONG));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
Status = ObCreateObject(PreviousMode, Status = ObCreateObject(PreviousMode,
SepTokenObjectType, SepTokenObjectType,
ObjectAttributes, ObjectAttributes,
@ -262,18 +241,9 @@ SepDuplicateToken(PTOKEN Token,
} }
if ( NT_SUCCESS(Status) ) if ( NT_SUCCESS(Status) )
{
_SEH_TRY
{ {
*NewAccessToken = AccessToken; *NewAccessToken = AccessToken;
Status = STATUS_SUCCESS; return(STATUS_SUCCESS);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
return Status;
} }
ObDereferenceObject(AccessToken); ObDereferenceObject(AccessToken);
@ -1068,11 +1038,33 @@ NtDuplicateToken(IN HANDLE ExistingTokenHandle,
OUT PHANDLE NewTokenHandle) OUT PHANDLE NewTokenHandle)
{ {
KPROCESSOR_MODE PreviousMode; KPROCESSOR_MODE PreviousMode;
HANDLE hToken;
PTOKEN Token; PTOKEN Token;
PTOKEN NewToken; PTOKEN NewToken;
NTSTATUS Status; NTSTATUS Status = STATUS_SUCCESS;
PreviousMode = KeGetPreviousMode(); PreviousMode = KeGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(NewTokenHandle,
sizeof(HANDLE),
sizeof(ULONG));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
Status = ObReferenceObjectByHandle(ExistingTokenHandle, Status = ObReferenceObjectByHandle(ExistingTokenHandle,
TOKEN_DUPLICATE, TOKEN_DUPLICATE,
SepTokenObjectType, SepTokenObjectType,
@ -1108,17 +1100,24 @@ NtDuplicateToken(IN HANDLE ExistingTokenHandle,
DesiredAccess, DesiredAccess,
0, 0,
NULL, NULL,
NewTokenHandle); &hToken);
ObDereferenceObject(NewToken); ObDereferenceObject(NewToken);
if (!NT_SUCCESS(Status)) if (NT_SUCCESS(Status))
{ {
DPRINT1("Failed to create token handle (Status %lx)\n"); _SEH_TRY
return Status; {
*NewTokenHandle = hToken;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
} }
return STATUS_SUCCESS; return Status;
} }
@ -1846,6 +1845,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
OUT PHANDLE TokenHandle) OUT PHANDLE TokenHandle)
{ {
PETHREAD Thread; PETHREAD Thread;
HANDLE hToken;
PTOKEN Token, NewToken, PrimaryToken; PTOKEN Token, NewToken, PrimaryToken;
BOOLEAN CopyOnOpen, EffectiveOnly; BOOLEAN CopyOnOpen, EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
@ -1853,7 +1853,30 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
OBJECT_ATTRIBUTES ObjectAttributes; OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_DESCRIPTOR SecurityDescriptor; SECURITY_DESCRIPTOR SecurityDescriptor;
PACL Dacl = NULL; PACL Dacl = NULL;
NTSTATUS Status; KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
PreviousMode = ExGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(TokenHandle,
sizeof(HANDLE),
sizeof(ULONG));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
/* /*
* At first open the thread token for information access and verify * At first open the thread token for information access and verify
@ -1861,7 +1884,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
*/ */
Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_QUERY_INFORMATION, Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_QUERY_INFORMATION,
PsThreadType, UserMode, (PVOID*)&Thread, PsThreadType, PreviousMode, (PVOID*)&Thread,
NULL); NULL);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
@ -1896,7 +1919,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
if (CopyOnOpen) if (CopyOnOpen)
{ {
Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS,
PsThreadType, UserMode, PsThreadType, PreviousMode,
(PVOID*)&Thread, NULL); (PVOID*)&Thread, NULL);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
@ -1945,7 +1968,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
} }
Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL, Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL,
TokenHandle); &hToken);
ObfDereferenceObject(NewToken); ObfDereferenceObject(NewToken);
} }
@ -1953,7 +1976,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
{ {
Status = ObOpenObjectByPointer(Token, HandleAttributes, Status = ObOpenObjectByPointer(Token, HandleAttributes,
NULL, DesiredAccess, SepTokenObjectType, NULL, DesiredAccess, SepTokenObjectType,
ExGetPreviousMode(), TokenHandle); PreviousMode, &hToken);
} }
ObfDereferenceObject(Token); ObfDereferenceObject(Token);
@ -1963,6 +1986,19 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
PsRestoreImpersonation(PsGetCurrentThread(), &ImpersonationState); PsRestoreImpersonation(PsGetCurrentThread(), &ImpersonationState);
} }
if(NT_SUCCESS(Status))
{
_SEH_TRY
{
*TokenHandle = hToken;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
return Status; return Status;
} }