Re: [PATCH 1/2] ntdll: Implement NtCreateToken.

11 May 2018

      Hans Leidekker hans@codeweavers.com writes:
You are not being paranoid enough...
...

privs = get_req_data_after_objattr( objattr, &data_size );
privs_size = req->privilege_count * sizeof(*privs);

This can overflow.
...

if (req->default_dacl_size)
{
   acl = (const ACL *)((const char *)privs + privs_size);

   if (!acl_is_valid( acl, req->default_dacl_size ))

No check against request size.
...

data_size -= req->default_dacl_size;

groups = (const struct token_groups *)((const char *)privs + privs_size + req->default_dacl_size);

size could be misaligned.
...

if (data_size < sizeof(*groups) || !groups->count ||
   sizeof(*groups) + groups->count * sizeof(*attr) > data_size ||

This can overflow.
There may be more...  Also you probably want to introduce some kind of
helper function.
-- 
Alexandre Julliard
julliard@winehq.org

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Re: [PATCH 1/2] ntdll: Implement NtCreateToken.