[weiden] 13553: probe pointers in NtCreateToken. Still needs some work as access to the buffers needs to be secured
14 Feb
2005
14 Feb
'05
12:32 a.m.
probe pointers in NtCreateToken. Still needs some work as access to the
buffers needs to be secured
Modified: trunk/reactos/ntoskrnl/se/token.c
_____
Modified: trunk/reactos/ntoskrnl/se/token.c
--- trunk/reactos/ntoskrnl/se/token.c 2005-02-14 00:28:12 UTC (rev
13552)
+++ trunk/reactos/ntoskrnl/se/token.c 2005-02-14 00:32:09 UTC (rev
13553)
@@ -1588,7 +1588,7 @@
NTSTATUS STDCALL
-NtCreateToken(OUT PHANDLE UnsafeTokenHandle,
+NtCreateToken(OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN TOKEN_TYPE TokenType,
@@ -1602,14 +1602,64 @@
IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
IN PTOKEN_SOURCE TokenSource)
{
- HANDLE TokenHandle;
+ HANDLE hToken;
PTOKEN AccessToken;
- NTSTATUS Status;
LUID TokenId;
LUID ModifiedId;
PVOID EndMem;
ULONG uLength;
ULONG i;
+ KPROCESSOR_MODE PreviousMode;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ PreviousMode = ExGetPreviousMode();
+
+ if(PreviousMode != KernelMode)
+ {
+ _SEH_TRY
+ {
+ ProbeForWrite(TokenHandle,
+ sizeof(HANDLE),
+ sizeof(ULONG));
+ ProbeForRead(AuthenticationId,
+ sizeof(LUID),
+ sizeof(ULONG));
+ ProbeForRead(ExpirationTime,
+ sizeof(LARGE_INTEGER),
+ sizeof(ULONG));
+ ProbeForRead(TokenUser,
+ sizeof(TOKEN_USER),
+ sizeof(ULONG));
+ ProbeForRead(TokenGroups,
+ sizeof(TOKEN_GROUPS),
+ sizeof(ULONG));
+ ProbeForRead(TokenPrivileges,
+ sizeof(TOKEN_PRIVILEGES),
+ sizeof(ULONG));
+ ProbeForRead(TokenOwner,
+ sizeof(TOKEN_OWNER),
+ sizeof(ULONG));
+ ProbeForRead(TokenPrimaryGroup,
+ sizeof(TOKEN_PRIMARY_GROUP),
+ sizeof(ULONG));
+ ProbeForRead(TokenDefaultDacl,
+ sizeof(TOKEN_DEFAULT_DACL),
+ sizeof(ULONG));
+ ProbeForRead(TokenSource,
+ sizeof(TOKEN_SOURCE),
+ sizeof(ULONG));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if(!NT_SUCCESS(Status))
+ {
+ return Status;
+ }
+ }
Status = ZwAllocateLocallyUniqueId(&TokenId);
if (!NT_SUCCESS(Status))
@@ -1619,10 +1669,10 @@
if (!NT_SUCCESS(Status))
return(Status);
- Status = ObCreateObject(ExGetPreviousMode(),
+ Status = ObCreateObject(PreviousMode,
SepTokenObjectType,
ObjectAttributes,
- ExGetPreviousMode(),
+ PreviousMode,
NULL,
sizeof(TOKEN),
0,
@@ -1634,19 +1684,6 @@
return(Status);
}
- Status = ObInsertObject ((PVOID)AccessToken,
- NULL,
- DesiredAccess,
- 0,
- NULL,
- &TokenHandle);
- if (!NT_SUCCESS(Status))
- {
- DPRINT1("ObInsertObject() failed (Status %lx)\n");
- ObDereferenceObject (AccessToken);
- return Status;
- }
-
RtlCopyLuid(&AccessToken->TokenSource.SourceIdentifier,
&TokenSource->SourceIdentifier);
memcpy(AccessToken->TokenSource.SourceName,
@@ -1740,22 +1777,33 @@
TokenDefaultDacl->DefaultDacl->AclSize);
}
+ Status = ObInsertObject ((PVOID)AccessToken,
+ NULL,
+ DesiredAccess,
+ 0,
+ NULL,
+ &hToken);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("ObInsertObject() failed (Status %lx)\n", Status);
+ }
+
ObDereferenceObject(AccessToken);
if (NT_SUCCESS(Status))
{
- Status = MmCopyToCaller(UnsafeTokenHandle,
- &TokenHandle,
- sizeof(HANDLE));
+ _SEH_TRY
+ {
+ *TokenHandle = hToken;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
}
- if (!NT_SUCCESS(Status))
- {
- ZwClose(TokenHandle);
- return(Status);
- }
-
- return(STATUS_SUCCESS);
+ return Status;
}
7258
days inactive
7258
days old
0 comments
1 participants
participants (1)
-
weiden@svn.reactos.com