[ekohl] 46491: [NTOSKRNL] NtAccessCheck: Check for a valid security descriptor. - Ros-diffs

27 Mar 2010

Author: ekohl
Date: Sat Mar 27 17:54:02 2010
New Revision: 46491
URL: http://svn.reactos.org/svn/reactos?rev=46491&view=rev
Log:
[NTOSKRNL]
NtAccessCheck: Check for a valid security descriptor.
Modified:
    trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=46…
==============================================================================

--- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sat Mar 27 17:54:02 2010
@@ -630,6 +630,37 @@
     }
 }
+static PSID
+SepGetSDOwner(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
+{
+    PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+    PSID Owner;
+
+    if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
+        Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
+                       (ULONG_PTR)SecurityDescriptor);
+    else
+        Owner = (PSID)SecurityDescriptor->Owner;
+
+    return Owner;
+}
+
+static PSID
+SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
+{
+    PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+    PSID Group;
+
+    if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
+        Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
+                       (ULONG_PTR)SecurityDescriptor);
+    else
+        Group = (PSID)SecurityDescriptor->Group;
+
+    return Group;
+}
+
+
 /* PUBLIC FUNCTIONS ***********************************************************/
 /*
@@ -734,14 +765,14 @@
                                        NULL);
     if (!NT_SUCCESS(Status))
     {
-        DPRINT1("Failed to reference token (Status %lx)\n", Status);
+        DPRINT("Failed to reference token (Status %lx)\n", Status);
         return Status;
     }
     /* Check token type */
     if (Token->TokenType != TokenImpersonation)
     {
-        DPRINT1("No impersonation token\n");
+        DPRINT("No impersonation token\n");
         ObDereferenceObject(Token);
         return STATUS_NO_IMPERSONATION_TOKEN;
     }
@@ -749,9 +780,18 @@
     /* Check the impersonation level */
     if (Token->ImpersonationLevel < SecurityIdentification)
     {
-        DPRINT1("Impersonation level < SecurityIdentification\n");
+        DPRINT("Impersonation level < SecurityIdentification\n");
         ObDereferenceObject(Token);
         return STATUS_BAD_IMPERSONATION_LEVEL;
+    }
+
+    /* Check security descriptor for valid owner and group */
+    if (SepGetSDOwner(SecurityDescriptor)== NULL ||
+        SepGetSDGroup(SecurityDescriptor) == NULL)
+    {
+        DPRINT("Security Descriptor does not have a valid group or owner\n");
+        ObDereferenceObject(Token);
+        return STATUS_INVALID_SECURITY_DESCR;
     }
     /* Set up the subject context, and lock it */
@@ -774,8 +814,10 @@
                    AccessStatus,
                    SecurityIdentification);
-    /* Unlock subject context and dereference the token */
+    /* Unlock subject context */
     SeUnlockSubjectContext(&SubjectSecurityContext);
+
+    /* Dereference the token */
     ObDereferenceObject(Token);
     /* Check succeeded */
    