On 16.02.2016 0:10, Sebastian Lackner wrote:
diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c index 125c86e..c32ae0c 100644 --- a/dlls/ntdll/sec.c +++ b/dlls/ntdll/sec.c @@ -1586,7 +1586,16 @@ NtAccessCheck( SecurityDescriptor, ClientToken, DesiredAccess, GenericMapping, PrivilegeSet, ReturnLength, GrantedAccess, AccessStatus);
- if (!PrivilegeSet || !ReturnLength)
- if (!ReturnLength)
return STATUS_ACCESS_VIOLATION;
- if (*ReturnLength == 0)
- {
*ReturnLength = sizeof(PRIVILEGE_SET);
return STATUS_BUFFER_TOO_SMALL;
- }
This looks a bit hacky. The code below assumes that *ReturnLength > FIELD_OFFSET( PRIVILEGE_SET, Privilege ), so it would be interesting to know what happens for sizes 0 ... 8.
if (!PrivilegeSet) return STATUS_ACCESS_VIOLATION;
SERVER_START_REQ( access_check )
Also it would be interesting to have same tests that call NtAccessCheck directly.