[PATCH 1/2] ntdll: Implement NtCreateToken.
Alexandre Julliard
julliard at winehq.org
Fri May 11 04:39:40 CDT 2018
Hans Leidekker <hans at codeweavers.com> writes:
You are not being paranoid enough...
> + privs = get_req_data_after_objattr( objattr, &data_size );
> + privs_size = req->privilege_count * sizeof(*privs);
This can overflow.
> + if (req->default_dacl_size)
> + {
> + acl = (const ACL *)((const char *)privs + privs_size);
> + if (!acl_is_valid( acl, req->default_dacl_size ))
No check against request size.
> + data_size -= req->default_dacl_size;
> +
> + groups = (const struct token_groups *)((const char *)privs + privs_size + req->default_dacl_size);
size could be misaligned.
> + if (data_size < sizeof(*groups) || !groups->count ||
> + sizeof(*groups) + groups->count * sizeof(*attr) > data_size ||
This can overflow.
There may be more... Also you probably want to introduce some kind of
helper function.
--
Alexandre Julliard
julliard at winehq.org
More information about the wine-devel
mailing list