https://git.reactos.org/?p=reactos.git;a=commitdiff;h=4425bd8db392a50eb1d07… commit 4425bd8db392a50eb1d0734bb3e7ab33927b4885 Author: Serge Gautherie <32623169+SergeGautherie(a)users.noreply.github.com> AuthorDate: Mon Jun 1 13:17:29 2020 +0200 Commit: GitHub <noreply(a)github.com> CommitDate: Mon Jun 1 14:17:29 2020 +0300 [CSRSRV] CsrSetProcessSecurity(): Check 1st NtQueryInformationToken() result (#2862) Also: * Add 1 NtClose(hToken), in an error case. * Do not call RtlFreeHeap(..., ..., NULL). Follow-up to #2857. --- subsystems/win32/csrsrv/init.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/subsystems/win32/csrsrv/init.c b/subsystems/win32/csrsrv/init.c index 49df131a862..69e9cfdea00 100644 --- a/subsystems/win32/csrsrv/init.c +++ b/subsystems/win32/csrsrv/init.c @@ -74,12 +74,18 @@ CsrSetProcessSecurity(VOID) if (!NT_SUCCESS(Status)) goto Quickie; /* Get the Token User Length */ - NtQueryInformationToken(hToken, TokenUser, NULL, 0, &Length); + Status = NtQueryInformationToken(hToken, TokenUser, NULL, 0, &Length); + if (Status != STATUS_BUFFER_TOO_SMALL) + { + NtClose(hToken); + goto Quickie; + } /* Allocate space for it */ TokenInfo = RtlAllocateHeap(CsrHeap, HEAP_ZERO_MEMORY, Length); if (!TokenInfo) { + NtClose(hToken); Status = STATUS_NO_MEMORY; goto Quickie; } @@ -153,7 +159,7 @@ CsrSetProcessSecurity(VOID) /* Free the memory and return */ Quickie: if (ProcSd) RtlFreeHeap(CsrHeap, 0, ProcSd); - RtlFreeHeap(CsrHeap, 0, TokenInfo); + if (TokenInfo) RtlFreeHeap(CsrHeap, 0, TokenInfo); return Status; }