https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0b4763f1b1eb3231cbfa6…
commit 0b4763f1b1eb3231cbfa6f668f003e4296e52edc
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Fri Sep 24 19:39:30 2021 +0200
Commit: George Bișoc <george.bisoc(a)reactos.org>
CommitDate: Fri Sep 24 19:39:30 2021 +0200
[NTOS:SE] Do not set SE_DACL_PRESENT flag that early
The function might assign the flag yet it could possibly fail on creating a DACL and insert an "access allowed" right to the access entry within the DACL. In this case, make sure we actually succeeded on all the tasks and THEN assign the flag that the DACL is truly present.
Also, make sure that the Current buffer size variable gets its new size so that we avoid overidding the memory of the DACL if the security descriptor wants both a DACL and SACL and so that happens that the DACL memory gets overwritten by the SACL.
---
ntoskrnl/se/sd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ntoskrnl/se/sd.c b/ntoskrnl/se/sd.c
index 76584c2c5c0..56f013bf446 100644
--- a/ntoskrnl/se/sd.c
+++ b/ntoskrnl/se/sd.c
@@ -220,7 +220,6 @@ SeSetWorldSecurityDescriptor(
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
PACL Dacl = (PACL)((PUCHAR)SdRel + Current);
- SdRel->Control |= SE_DACL_PRESENT;
Status = RtlCreateAcl(Dacl,
sizeof(ACL) + sizeof(ACE) + SidSize,
@@ -235,7 +234,9 @@ SeSetWorldSecurityDescriptor(
if (!NT_SUCCESS(Status))
return Status;
+ SdRel->Control |= SE_DACL_PRESENT;
SdRel->Dacl = Current;
+ Current += SidSize;
}
if (SecurityInformation & SACL_SECURITY_INFORMATION)