13 Feb
2005
13 Feb
'05
10 p.m.
fixed wrong buffer check in NtDuplicateToken and added buffer checks in
NtOpenThreadTokenEx
Modified: trunk/reactos/ntoskrnl/se/token.c
_____
Modified: trunk/reactos/ntoskrnl/se/token.c
--- trunk/reactos/ntoskrnl/se/token.c 2005-02-13 21:32:50 UTC (rev
13540)
+++ trunk/reactos/ntoskrnl/se/token.c 2005-02-13 22:00:36 UTC (rev
13541)
@@ -136,27 +136,6 @@
PVOID EndMem;
PTOKEN AccessToken;
NTSTATUS Status;
-
- if(PreviousMode != KernelMode)
- {
- Status = STATUS_SUCCESS;
- _SEH_TRY
- {
- ProbeForWrite(NewAccessToken,
- sizeof(TOKEN),
- sizeof(ULONG));
- }
- _SEH_HANDLE
- {
- Status = _SEH_GetExceptionCode();
- }
- _SEH_END;
-
- if(!NT_SUCCESS(Status))
- {
- return Status;
- }
- }
Status = ObCreateObject(PreviousMode,
SepTokenObjectType,
@@ -263,17 +242,8 @@
if ( NT_SUCCESS(Status) )
{
- _SEH_TRY
- {
- *NewAccessToken = AccessToken;
- Status = STATUS_SUCCESS;
- }
- _SEH_HANDLE
- {
- Status = _SEH_GetExceptionCode();
- }
- _SEH_END;
- return Status;
+ *NewAccessToken = AccessToken;
+ return(STATUS_SUCCESS);
}
ObDereferenceObject(AccessToken);
@@ -1068,11 +1038,33 @@
OUT PHANDLE NewTokenHandle)
{
KPROCESSOR_MODE PreviousMode;
+ HANDLE hToken;
PTOKEN Token;
PTOKEN NewToken;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
PreviousMode = KeGetPreviousMode();
+
+ if(PreviousMode != KernelMode)
+ {
+ _SEH_TRY
+ {
+ ProbeForWrite(NewTokenHandle,
+ sizeof(HANDLE),
+ sizeof(ULONG));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if(!NT_SUCCESS(Status))
+ {
+ return Status;
+ }
+ }
+
Status = ObReferenceObjectByHandle(ExistingTokenHandle,
TOKEN_DUPLICATE,
SepTokenObjectType,
@@ -1108,17 +1100,24 @@
DesiredAccess,
0,
NULL,
- NewTokenHandle);
+ &hToken);
ObDereferenceObject(NewToken);
- if (!NT_SUCCESS(Status))
+ if (NT_SUCCESS(Status))
{
- DPRINT1("Failed to create token handle (Status %lx)\n");
- return Status;
+ _SEH_TRY
+ {
+ *NewTokenHandle = hToken;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
}
- return STATUS_SUCCESS;
+ return Status;
}
@@ -1846,6 +1845,7 @@
OUT PHANDLE TokenHandle)
{
PETHREAD Thread;
+ HANDLE hToken;
PTOKEN Token, NewToken, PrimaryToken;
BOOLEAN CopyOnOpen, EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
@@ -1853,7 +1853,30 @@
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_DESCRIPTOR SecurityDescriptor;
PACL Dacl = NULL;
- NTSTATUS Status;
+ KPROCESSOR_MODE PreviousMode;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ PreviousMode = ExGetPreviousMode();
+
+ if(PreviousMode != KernelMode)
+ {
+ _SEH_TRY
+ {
+ ProbeForWrite(TokenHandle,
+ sizeof(HANDLE),
+ sizeof(ULONG));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if(!NT_SUCCESS(Status))
+ {
+ return Status;
+ }
+ }
/*
* At first open the thread token for information access and verify
@@ -1861,7 +1884,7 @@
*/
Status = ObReferenceObjectByHandle(ThreadHandle,
THREAD_QUERY_INFORMATION,
- PsThreadType, UserMode,
(PVOID*)&Thread,
+ PsThreadType, PreviousMode,
(PVOID*)&Thread,
NULL);
if (!NT_SUCCESS(Status))
{
@@ -1896,7 +1919,7 @@
if (CopyOnOpen)
{
Status = ObReferenceObjectByHandle(ThreadHandle,
THREAD_ALL_ACCESS,
- PsThreadType, UserMode,
+ PsThreadType, PreviousMode,
(PVOID*)&Thread, NULL);
if (!NT_SUCCESS(Status))
{
@@ -1945,7 +1968,7 @@
}
Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL,
- TokenHandle);
+ &hToken);
ObfDereferenceObject(NewToken);
}
@@ -1953,7 +1976,7 @@
{
Status = ObOpenObjectByPointer(Token, HandleAttributes,
NULL, DesiredAccess,
SepTokenObjectType,
- ExGetPreviousMode(), TokenHandle);
+ PreviousMode, &hToken);
}
ObfDereferenceObject(Token);
@@ -1963,6 +1986,19 @@
PsRestoreImpersonation(PsGetCurrentThread(),
&ImpersonationState);
}
+ if(NT_SUCCESS(Status))
+ {
+ _SEH_TRY
+ {
+ *TokenHandle = hToken;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+ }
+
return Status;
}