https://git.reactos.org/?p=reactos.git;a=commitdiff;h=4425bd8db392a50eb1d07…
commit 4425bd8db392a50eb1d0734bb3e7ab33927b4885
Author: Serge Gautherie <32623169+SergeGautherie(a)users.noreply.github.com>
AuthorDate: Mon Jun 1 13:17:29 2020 +0200
Commit: GitHub <noreply(a)github.com>
CommitDate: Mon Jun 1 14:17:29 2020 +0300
[CSRSRV] CsrSetProcessSecurity(): Check 1st NtQueryInformationToken() result (#2862)
Also:
* Add 1 NtClose(hToken), in an error case.
* Do not call RtlFreeHeap(..., ..., NULL).
Follow-up to #2857.
---
subsystems/win32/csrsrv/init.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/subsystems/win32/csrsrv/init.c b/subsystems/win32/csrsrv/init.c
index 49df131a862..69e9cfdea00 100644
--- a/subsystems/win32/csrsrv/init.c
+++ b/subsystems/win32/csrsrv/init.c
@@ -74,12 +74,18 @@ CsrSetProcessSecurity(VOID)
if (!NT_SUCCESS(Status)) goto Quickie;
/* Get the Token User Length */
- NtQueryInformationToken(hToken, TokenUser, NULL, 0, &Length);
+ Status = NtQueryInformationToken(hToken, TokenUser, NULL, 0, &Length);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ {
+ NtClose(hToken);
+ goto Quickie;
+ }
/* Allocate space for it */
TokenInfo = RtlAllocateHeap(CsrHeap, HEAP_ZERO_MEMORY, Length);
if (!TokenInfo)
{
+ NtClose(hToken);
Status = STATUS_NO_MEMORY;
goto Quickie;
}
@@ -153,7 +159,7 @@ CsrSetProcessSecurity(VOID)
/* Free the memory and return */
Quickie:
if (ProcSd) RtlFreeHeap(CsrHeap, 0, ProcSd);
- RtlFreeHeap(CsrHeap, 0, TokenInfo);
+ if (TokenInfo) RtlFreeHeap(CsrHeap, 0, TokenInfo);
return Status;
}