On 16.02.2016 0:10, Sebastian Lackner wrote:
diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c index 125c86e..c32ae0c 100644 --- a/dlls/ntdll/sec.c +++ b/dlls/ntdll/sec.c @@ -1586,7 +1586,16 @@ NtAccessCheck( SecurityDescriptor, ClientToken, DesiredAccess, GenericMapping, PrivilegeSet, ReturnLength, GrantedAccess, AccessStatus);
- if (!PrivilegeSet || !ReturnLength) + if (!ReturnLength) + return STATUS_ACCESS_VIOLATION; + + if (*ReturnLength == 0) + { + *ReturnLength = sizeof(PRIVILEGE_SET); + return STATUS_BUFFER_TOO_SMALL; + }
This looks a bit hacky. The code below assumes that *ReturnLength > FIELD_OFFSET( PRIVILEGE_SET, Privilege ), so it would be interesting to know what happens for sizes 0 ... 8.
+ + if (!PrivilegeSet) return STATUS_ACCESS_VIOLATION;
SERVER_START_REQ( access_check )
Also it would be interesting to have same tests that call NtAccessCheck directly.