[weiden] 24581: Fix integer overflow vulnerability in NtPrivilegeCheck - Ros-diffs

20 Oct 2006

Author: weiden
Date: Fri Oct 20 18:10:53 2006
New Revision: 24581
URL: http://svn.reactos.org/svn/reactos?rev=24581&view=rev
Log:
Fix integer overflow vulnerability in NtPrivilegeCheck
Modified:
    trunk/reactos/ntoskrnl/se/priv.c
Modified: trunk/reactos/ntoskrnl/se/priv.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/priv.c?rev=2458...
==============================================================================

--- trunk/reactos/ntoskrnl/se/priv.c (original)
+++ trunk/reactos/ntoskrnl/se/priv.c Fri Oct 20 18:10:53 2006
@@ -292,7 +292,7 @@
 NTSTATUS STDCALL
 NtPrivilegeCheck (IN HANDLE ClientToken,
    	  IN PPRIVILEGE_SET RequiredPrivileges,
-		  IN PBOOLEAN Result)
+		  OUT PBOOLEAN Result)
 {
   PLUID_AND_ATTRIBUTES Privileges;
   PTOKEN Token;
@@ -313,16 +313,26 @@
     _SEH_TRY
     {
       ProbeForWrite(RequiredPrivileges,
-                    sizeof(PRIVILEGE_SET),
+                    FIELD_OFFSET(PRIVILEGE_SET,
+                                 Privilege),
                     sizeof(ULONG));
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
       PrivilegeControl = RequiredPrivileges->Control;
+      /* Check PrivilegeCount to avoid an integer overflow! */
+      if (FIELD_OFFSET(PRIVILEGE_SET,
+                       Privilege[PrivilegeCount]) /
+          sizeof(RequiredPrivileges->Privilege[0]) != PrivilegeCount)
+      {
+          Status = STATUS_INVALID_PARAMETER;
+          _SEH_LEAVE;
+      }
+
       /* probe all of the array */
       ProbeForWrite(RequiredPrivileges,
-                    sizeof(FIELD_OFFSET(PRIVILEGE_SET,
-                                        Privilege[PrivilegeCount])),
+                    FIELD_OFFSET(PRIVILEGE_SET,
+                                 Privilege[PrivilegeCount]),
                     sizeof(ULONG));
ProbeForWriteBoolean(Result);

    