[ros-diffs] [weiden] 24581: Fix integer overflow vulnerability in NtPrivilegeCheck

Author: weiden Date: Fri Oct 20 18:10:53 2006 New Revision: 24581 URL: http://svn.reactos.org/svn/reactos?rev=24581&view=rev Log: Fix integer overflow vulnerability in NtPrivilegeCheck Modified: trunk/reactos/ntoskrnl/se/priv.c Modified: trunk/reactos/ntoskrnl/se/priv.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/priv.c?rev=245… ============================================================================== --- trunk/reactos/ntoskrnl/se/priv.c (original) +++ trunk/reactos/ntoskrnl/se/priv.c Fri Oct 20 18:10:53 2006 @@ -292,7 +292,7 @@ NTSTATUS STDCALL NtPrivilegeCheck (IN HANDLE ClientToken, IN PPRIVILEGE_SET RequiredPrivileges, - IN PBOOLEAN Result) + OUT PBOOLEAN Result) { PLUID_AND_ATTRIBUTES Privileges; PTOKEN Token; @@ -313,16 +313,26 @@ _SEH_TRY { ProbeForWrite(RequiredPrivileges, - sizeof(PRIVILEGE_SET), + FIELD_OFFSET(PRIVILEGE_SET, + Privilege), sizeof(ULONG)); PrivilegeCount = RequiredPrivileges->PrivilegeCount; PrivilegeControl = RequiredPrivileges->Control; + /* Check PrivilegeCount to avoid an integer overflow! */ + if (FIELD_OFFSET(PRIVILEGE_SET, + Privilege[PrivilegeCount]) / + sizeof(RequiredPrivileges->Privilege[0]) != PrivilegeCount) + { + Status = STATUS_INVALID_PARAMETER; + _SEH_LEAVE; + } + /* probe all of the array */ ProbeForWrite(RequiredPrivileges, - sizeof(FIELD_OFFSET(PRIVILEGE_SET, - Privilege[PrivilegeCount])), + FIELD_OFFSET(PRIVILEGE_SET, + Privilege[PrivilegeCount]), sizeof(ULONG)); ProbeForWriteBoolean(Result);