fixed wrong buffer check in NtDuplicateToken and added buffer checks in NtOpenThreadTokenEx Modified: trunk/reactos/ntoskrnl/se/token.c _____ Modified: trunk/reactos/ntoskrnl/se/token.c --- trunk/reactos/ntoskrnl/se/token.c 2005-02-13 21:32:50 UTC (rev 13540) +++ trunk/reactos/ntoskrnl/se/token.c 2005-02-13 22:00:36 UTC (rev 13541) @@ -136,27 +136,6 @@ PVOID EndMem; PTOKEN AccessToken; NTSTATUS Status; - - if(PreviousMode != KernelMode) - { - Status = STATUS_SUCCESS; - _SEH_TRY - { - ProbeForWrite(NewAccessToken, - sizeof(TOKEN), - sizeof(ULONG)); - } - _SEH_HANDLE - { - Status = _SEH_GetExceptionCode(); - } - _SEH_END; - - if(!NT_SUCCESS(Status)) - { - return Status; - } - } Status = ObCreateObject(PreviousMode, SepTokenObjectType, @@ -263,17 +242,8 @@ if ( NT_SUCCESS(Status) ) { - _SEH_TRY - { - *NewAccessToken = AccessToken; - Status = STATUS_SUCCESS; - } - _SEH_HANDLE - { - Status = _SEH_GetExceptionCode(); - } - _SEH_END; - return Status; + *NewAccessToken = AccessToken; + return(STATUS_SUCCESS); } ObDereferenceObject(AccessToken); @@ -1068,11 +1038,33 @@ OUT PHANDLE NewTokenHandle) { KPROCESSOR_MODE PreviousMode; + HANDLE hToken; PTOKEN Token; PTOKEN NewToken; - NTSTATUS Status; + NTSTATUS Status = STATUS_SUCCESS; PreviousMode = KeGetPreviousMode(); + + if(PreviousMode != KernelMode) + { + _SEH_TRY + { + ProbeForWrite(NewTokenHandle, + sizeof(HANDLE), + sizeof(ULONG)); + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + + if(!NT_SUCCESS(Status)) + { + return Status; + } + } + Status = ObReferenceObjectByHandle(ExistingTokenHandle, TOKEN_DUPLICATE, SepTokenObjectType, @@ -1108,17 +1100,24 @@ DesiredAccess, 0, NULL, - NewTokenHandle); + &hToken); ObDereferenceObject(NewToken); - if (!NT_SUCCESS(Status)) + if (NT_SUCCESS(Status)) { - DPRINT1("Failed to create token handle (Status %lx)\n"); - return Status; + _SEH_TRY + { + *NewTokenHandle = hToken; + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; } - return STATUS_SUCCESS; + return Status; } @@ -1846,6 +1845,7 @@ OUT PHANDLE TokenHandle) { PETHREAD Thread; + HANDLE hToken; PTOKEN Token, NewToken, PrimaryToken; BOOLEAN CopyOnOpen, EffectiveOnly; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; @@ -1853,7 +1853,30 @@ OBJECT_ATTRIBUTES ObjectAttributes; SECURITY_DESCRIPTOR SecurityDescriptor; PACL Dacl = NULL; - NTSTATUS Status; + KPROCESSOR_MODE PreviousMode; + NTSTATUS Status = STATUS_SUCCESS; + + PreviousMode = ExGetPreviousMode(); + + if(PreviousMode != KernelMode) + { + _SEH_TRY + { + ProbeForWrite(TokenHandle, + sizeof(HANDLE), + sizeof(ULONG)); + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + + if(!NT_SUCCESS(Status)) + { + return Status; + } + } /* * At first open the thread token for information access and verify @@ -1861,7 +1884,7 @@ */ Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_QUERY_INFORMATION, - PsThreadType, UserMode, (PVOID*)&Thread, + PsThreadType, PreviousMode, (PVOID*)&Thread, NULL); if (!NT_SUCCESS(Status)) { @@ -1896,7 +1919,7 @@ if (CopyOnOpen) { Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, - PsThreadType, UserMode, + PsThreadType, PreviousMode, (PVOID*)&Thread, NULL); if (!NT_SUCCESS(Status)) { @@ -1945,7 +1968,7 @@ } Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL, - TokenHandle); + &hToken); ObfDereferenceObject(NewToken); } @@ -1953,7 +1976,7 @@ { Status = ObOpenObjectByPointer(Token, HandleAttributes, NULL, DesiredAccess, SepTokenObjectType, - ExGetPreviousMode(), TokenHandle); + PreviousMode, &hToken); } ObfDereferenceObject(Token); @@ -1963,6 +1986,19 @@ PsRestoreImpersonation(PsGetCurrentThread(), &ImpersonationState); } + if(NT_SUCCESS(Status)) + { + _SEH_TRY + { + *TokenHandle = hToken; + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + } + return Status; }