mingw: fix use after free in file_owner()

The security descriptor was being freed before its contents were accessed.
author: Ron Yorston <rmy@pobox.com> 2020-01-19 09:38:11 +0000
committer: Ron Yorston <rmy@pobox.com> 2020-01-19 09:38:11 +0000
commit: 4b3b7975b2f28b067c593f45c7c7dda2d31bc250 (patch)
tree: c1666d7f784351198f0f347741dc49241ee066c4
parent: a22490b9f4c2feb04f1f7bcbd0e8e51fc87a16b7 (diff)
download: busybox-w32-4b3b7975b2f28b067c593f45c7c7dda2d31bc250.tar.gz
busybox-w32-4b3b7975b2f28b067c593f45c7c7dda2d31bc250.tar.bz2
busybox-w32-4b3b7975b2f28b067c593f45c7c7dda2d31bc250.zip
1 files changed, 6 insertions, 9 deletions
diff --git a/win32/mingw.c b/win32/mingw.c
index 38fbf2d4b..e64f48bf1 100644
--- a/win32/mingw.c
+++ b/win32/mingw.c
@@ -418,7 +418,6 @@ static uid_t file_owner(HANDLE fh)
        PSECURITY_DESCRIPTOR pSD;
        static PTOKEN_USER user = NULL;
        static int initialised = 0;
-        int equal;
        uid_t uid = 0;
        DWORD *ptr;
        unsigned char prefix[] = {
@@ -453,18 +452,16 @@ static uid_t file_owner(HANDLE fh)
                        &pSidOwner, NULL, NULL, NULL, &pSD) != ERROR_SUCCESS)
                return 0;
-        equal = EqualSid(pSidOwner, user->User.Sid);
+        if (EqualSid(pSidOwner, user->User.Sid)) {
-        LocalFree(pSD);
+                uid = DEFAULT_UID;
+        }
-        if (equal)
+        else if (memcmp(pSidOwner, prefix, sizeof(prefix)) == 0) {
-                return DEFAULT_UID;
+                /* for local or domain users use the RID as uid */
-        /* for local or domain users use the RID as uid */
-        if (memcmp(pSidOwner, prefix, sizeof(prefix)) == 0) {
                ptr = (DWORD *)pSidOwner;
                if (ptr[6] >= 500 && ptr[6] < DEFAULT_UID)
                        uid = (uid_t)ptr[6];
        }
+        LocalFree(pSD);
        return uid;
 #if 0
author	Ron Yorston <rmy@pobox.com>	2020-01-19 09:38:11 +0000
committer	Ron Yorston <rmy@pobox.com>	2020-01-19 09:38:11 +0000
commit	4b3b7975b2f28b067c593f45c7c7dda2d31bc250 (patch)
tree	c1666d7f784351198f0f347741dc49241ee066c4
parent	a22490b9f4c2feb04f1f7bcbd0e8e51fc87a16b7 (diff)
download	busybox-w32-4b3b7975b2f28b067c593f45c7c7dda2d31bc250.tar.gz busybox-w32-4b3b7975b2f28b067c593f45c7c7dda2d31bc250.tar.bz2 busybox-w32-4b3b7975b2f28b067c593f45c7c7dda2d31bc250.zip

diff --git a/win32/mingw.c b/win32/mingw.c index 38fbf2d4b..e64f48bf1 100644 --- a/win32/mingw.c +++ b/win32/mingw.c
@@ -418,7 +418,6 @@ static uid_t file_owner(HANDLE fh)
418	PSECURITY_DESCRIPTOR pSD;	418	PSECURITY_DESCRIPTOR pSD;
419	static PTOKEN_USER user = NULL;	419	static PTOKEN_USER user = NULL;
420	static int initialised = 0;	420	static int initialised = 0;
421	int equal;
422	uid_t uid = 0;	421	uid_t uid = 0;
423	DWORD *ptr;	422	DWORD *ptr;
424	unsigned char prefix[] = {	423	unsigned char prefix[] = {
@@ -453,18 +452,16 @@ static uid_t file_owner(HANDLE fh)
453	&pSidOwner, NULL, NULL, NULL, &pSD) != ERROR_SUCCESS)	452	&pSidOwner, NULL, NULL, NULL, &pSD) != ERROR_SUCCESS)
454	return 0;	453	return 0;
455		454
456	equal = EqualSid(pSidOwner, user->User.Sid);	455	if (EqualSid(pSidOwner, user->User.Sid)) {
457	LocalFree(pSD);	456	uid = DEFAULT_UID;
458		457	}
459	if (equal)	458	else if (memcmp(pSidOwner, prefix, sizeof(prefix)) == 0) {
460	return DEFAULT_UID;	459	/* for local or domain users use the RID as uid */
461
462	/* for local or domain users use the RID as uid */
463	if (memcmp(pSidOwner, prefix, sizeof(prefix)) == 0) {
464	ptr = (DWORD *)pSidOwner;	460	ptr = (DWORD *)pSidOwner;
465	if (ptr[6] >= 500 && ptr[6] < DEFAULT_UID)	461	if (ptr[6] >= 500 && ptr[6] < DEFAULT_UID)
466	uid = (uid_t)ptr[6];	462	uid = (uid_t)ptr[6];
467	}	463	}
		464	LocalFree(pSD);
468	return uid;	465	return uid;
469		466
470	#if 0	467	#if 0