Fix size used to validate the sids in aces.
diff --git a/server/token.c b/server/token.c
index cba6782..f1fba3b 100644
--- a/server/token.c
+++ b/server/token.c
@@ -161,6 +161,7 @@
for (i = 0; i < acl->AceCount; i++)
{
const SID *sid;
+ size_t sid_size;
if (size < sizeof(ACE_HEADER))
return FALSE;
@@ -171,21 +172,25 @@
{
case ACCESS_DENIED_ACE_TYPE:
sid = (const SID *)&((const ACCESS_DENIED_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(ACCESS_DENIED_ACE, SidStart);
break;
case ACCESS_ALLOWED_ACE_TYPE:
sid = (const SID *)&((const ACCESS_ALLOWED_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart);
break;
case SYSTEM_AUDIT_ACE_TYPE:
sid = (const SID *)&((const SYSTEM_AUDIT_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(SYSTEM_AUDIT_ACE, SidStart);
break;
case SYSTEM_ALARM_ACE_TYPE:
sid = (const SID *)&((const SYSTEM_ALARM_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(SYSTEM_ALARM_ACE, SidStart);
break;
default:
return FALSE;
}
- if (size < sizeof(SID) ||
- size < FIELD_OFFSET(SID, SubAuthority[sid->SubAuthorityCount]))
+ if (sid_size < FIELD_OFFSET(SID, SubAuthority[0]) ||
+ sid_size < FIELD_OFFSET(SID, SubAuthority[sid->SubAuthorityCount]))
return FALSE;
ace = ace_next( ace );
}
diff --git a/server/trace.c b/server/trace.c
index de386e3..04b2e57 100644
--- a/server/trace.c
+++ b/server/trace.c
@@ -429,9 +429,12 @@
DWORD i;
/* security check */
- if ((size < sizeof(SID)) ||
- (FIELD_OFFSET(SID, SubAuthority[sid->SubAuthorityCount]) > size))
+ if ((FIELD_OFFSET(SID, SubAuthority[0]) > size) ||
+ (FIELD_OFFSET(SID, SubAuthority[sid->SubAuthorityCount]) > size))
+ {
+ fprintf( stderr, "<invalid sid>" );
return;
+ }
fputc( '{', stderr );
fprintf( stderr, "S-%u-%lu", sid->Revision, MAKELONG(
@@ -453,12 +456,16 @@
if (size)
{
if (size < sizeof(ACL))
+ {
+ fprintf( stderr, "<invalid acl>}\n" );
return;
+ }
size -= sizeof(ACL);
ace = (const ACE_HEADER *)(acl + 1);
for (i = 0; i < acl->AceCount; i++)
{
const SID *sid = NULL;
+ size_t sid_size = 0;
if (size < sizeof(ACE_HEADER))
return;
@@ -471,21 +478,25 @@
{
case ACCESS_DENIED_ACE_TYPE:
sid = (const SID *)&((const ACCESS_DENIED_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(ACCESS_DENIED_ACE, SidStart);
fprintf( stderr, "ACCESS_DENIED_ACE_TYPE,Mask=%lx",
((const ACCESS_DENIED_ACE *)ace)->Mask );
break;
case ACCESS_ALLOWED_ACE_TYPE:
sid = (const SID *)&((const ACCESS_ALLOWED_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart);
fprintf( stderr, "ACCESS_ALLOWED_ACE_TYPE,Mask=%lx",
((const ACCESS_ALLOWED_ACE *)ace)->Mask );
break;
case SYSTEM_AUDIT_ACE_TYPE:
sid = (const SID *)&((const SYSTEM_AUDIT_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(SYSTEM_AUDIT_ACE, SidStart);
fprintf( stderr, "SYSTEM_AUDIT_ACE_TYPE,Mask=%lx",
((const SYSTEM_AUDIT_ACE *)ace)->Mask );
break;
case SYSTEM_ALARM_ACE_TYPE:
sid = (const SID *)&((const SYSTEM_ALARM_ACE *)ace)->SidStart;
+ sid_size = ace->AceSize - FIELD_OFFSET(SYSTEM_ALARM_ACE, SidStart);
fprintf( stderr, "SYSTEM_ALARM_ACE_TYPE,Mask=%lx",
((const SYSTEM_ALARM_ACE *)ace)->Mask );
break;
@@ -495,7 +506,7 @@
}
fprintf( stderr, ",AceFlags=%x,Sid=", ace->AceFlags );
if (sid)
- dump_inline_sid( sid, size );
+ dump_inline_sid( sid, sid_size );
ace = (const ACE_HEADER *)((const char *)ace + ace->AceSize);
fputc( '}', stderr );
}
