[reactos] 05/07: [NTOS:SE] NtAdjustGroupsToken(): Avoid double-free on ObReferenceObjectByHandle failure path (#4523) - Ros-diffs

23 May 2022

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=96761885432e19d403592…

commit 96761885432e19d4035922178e56c4c49f844153
Author:     Hermès Bélusca-Maïto &lt;hermes.belusca-maito(a)reactos.org&gt;
AuthorDate: Sun May 22 18:33:46 2022 +0200
Commit:     Hermès Bélusca-Maïto &lt;hermes.belusca-maito(a)reactos.org&gt;
CommitDate: Mon May 23 19:30:36 2022 +0200

    [NTOS:SE] NtAdjustGroupsToken(): Avoid double-free on ObReferenceObjectByHandle
failure path (#4523)
---
 ntoskrnl/se/token.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index aad1321abd6..65018f60f3f 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -5256,7 +5256,6 @@ NtAdjustGroupsToken(
     ULONG NewStateSize = 0;
     PSID_AND_ATTRIBUTES CapturedGroups = NULL;
     BOOLEAN ChangesMade = FALSE;
-    BOOLEAN LockAndReferenceAcquired = FALSE;
 
     PAGED_CODE();
 
@@ -5363,12 +5362,11 @@ NtAdjustGroupsToken(
                                            TRUE);
         }
 
-        goto Quit;
+        return Status;
     }
 
     /* Lock the token */
     SepAcquireTokenLockExclusive(Token);
-    LockAndReferenceAcquired = TRUE;
 
     /* Count the number of groups to be changed */
     Status = SepAdjustGroups(Token,
@@ -5442,13 +5440,9 @@ Quit:
         ExAllocateLocallyUniqueId(&Token->ModifiedId);
     }
 
-    /* Have we successfully acquired the lock and referenced the token before? */
-    if (LockAndReferenceAcquired)
-    {
-        /* Unlock and dereference the token */
-        SepReleaseTokenLock(Token);
-        ObDereferenceObject(Token);
-    }
+    /* Unlock and dereference the token */
+    SepReleaseTokenLock(Token);
+    ObDereferenceObject(Token);
 
     /* Release the captured groups */
     if (CapturedGroups != NULL)


    