Author: ekohl Date: Sat Mar 27 17:54:02 2010 New Revision: 46491
URL: http://svn.reactos.org/svn/reactos?rev=46491&view=rev Log: [NTOSKRNL] NtAccessCheck: Check for a valid security descriptor.
Modified: trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=464... ============================================================================== --- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sat Mar 27 17:54:02 2010 @@ -630,6 +630,37 @@ } }
+static PSID +SepGetSDOwner(IN PSECURITY_DESCRIPTOR _SecurityDescriptor) +{ + PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor; + PSID Owner; + + if (SecurityDescriptor->Control & SE_SELF_RELATIVE) + Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner + + (ULONG_PTR)SecurityDescriptor); + else + Owner = (PSID)SecurityDescriptor->Owner; + + return Owner; +} + +static PSID +SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor) +{ + PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor; + PSID Group; + + if (SecurityDescriptor->Control & SE_SELF_RELATIVE) + Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group + + (ULONG_PTR)SecurityDescriptor); + else + Group = (PSID)SecurityDescriptor->Group; + + return Group; +} + + /* PUBLIC FUNCTIONS ***********************************************************/
/* @@ -734,14 +765,14 @@ NULL); if (!NT_SUCCESS(Status)) { - DPRINT1("Failed to reference token (Status %lx)\n", Status); + DPRINT("Failed to reference token (Status %lx)\n", Status); return Status; }
/* Check token type */ if (Token->TokenType != TokenImpersonation) { - DPRINT1("No impersonation token\n"); + DPRINT("No impersonation token\n"); ObDereferenceObject(Token); return STATUS_NO_IMPERSONATION_TOKEN; } @@ -749,9 +780,18 @@ /* Check the impersonation level */ if (Token->ImpersonationLevel < SecurityIdentification) { - DPRINT1("Impersonation level < SecurityIdentification\n"); + DPRINT("Impersonation level < SecurityIdentification\n"); ObDereferenceObject(Token); return STATUS_BAD_IMPERSONATION_LEVEL; + } + + /* Check security descriptor for valid owner and group */ + if (SepGetSDOwner(SecurityDescriptor)== NULL || + SepGetSDGroup(SecurityDescriptor) == NULL) + { + DPRINT("Security Descriptor does not have a valid group or owner\n"); + ObDereferenceObject(Token); + return STATUS_INVALID_SECURITY_DESCR; }
/* Set up the subject context, and lock it */ @@ -774,8 +814,10 @@ AccessStatus, SecurityIdentification);
- /* Unlock subject context and dereference the token */ + /* Unlock subject context */ SeUnlockSubjectContext(&SubjectSecurityContext); + + /* Dereference the token */ ObDereferenceObject(Token);
/* Check succeeded */