From 6bd80b51b42686ce5665140d0ab7c64bd35204d9 Mon Sep 17 00:00:00 2001 From: Rob Mensching Date: Sun, 14 Jul 2024 23:58:39 -0700 Subject: Fix faulty memory access in Util's User custom actions Generally, clean up the handling of getting the domain from a server name by centralizing and simplifying it behind an improved GetDomainFromServerName() based on the buggy GetServerName(). Fixes 8576 --- src/ext/Util/ca/scauser.cpp | 48 ++++++++------------------------------------- 1 file changed, 8 insertions(+), 40 deletions(-) (limited to 'src/ext/Util/ca/scauser.cpp') diff --git a/src/ext/Util/ca/scauser.cpp b/src/ext/Util/ca/scauser.cpp index b643a842..79da155f 100644 --- a/src/ext/Util/ca/scauser.cpp +++ b/src/ext/Util/ca/scauser.cpp @@ -487,7 +487,7 @@ HRESULT ScaUserExecute( { HRESULT hr = S_OK; DWORD er = 0; - PDOMAIN_CONTROLLER_INFOW pDomainControllerInfo = NULL; + LPWSTR pwzDomainName = NULL; LPWSTR pwzBaseScriptKey = NULL; DWORD cScriptKey = 0; @@ -518,36 +518,11 @@ HRESULT ScaUserExecute( ExitOnFailure(hr, "Failed to add user comment to custom action data: %ls", psu->wzComment); // Check to see if the user already exists since we have to be very careful when adding - // and removing users. Note: MSDN says that it is safe to call these APIs from any - // user, so we should be safe calling it during immediate mode. - er = ::NetApiBufferAllocate(sizeof(USER_INFO_0), reinterpret_cast(&pUserInfo)); - hr = HRESULT_FROM_WIN32(er); - ExitOnFailure(hr, "Failed to allocate memory to check existence of user: %ls", psu->wzName); - - LPCWSTR wzDomain = psu->wzDomain; - if (wzDomain && *wzDomain) - { - er = ::DsGetDcNameW(NULL, wzDomain, NULL, NULL, NULL, &pDomainControllerInfo); - if (RPC_S_SERVER_UNAVAILABLE == er) - { - // MSDN says, if we get the above error code, try again with the "DS_FORCE_REDISCOVERY" flag - er = ::DsGetDcNameW(NULL, wzDomain, NULL, NULL, DS_FORCE_REDISCOVERY, &pDomainControllerInfo); - } - if (ERROR_SUCCESS == er && pDomainControllerInfo->DomainControllerName) - { - // If the \\ prefix on the queried domain was present, skip it. - if ('\\' == *pDomainControllerInfo->DomainControllerName && '\\' == *pDomainControllerInfo->DomainControllerName + 1) - { - wzDomain = pDomainControllerInfo->DomainControllerName + 2; - } - else - { - wzDomain = pDomainControllerInfo->DomainControllerName; - } - } - } + // and removing users. + hr = GetDomainFromServerName(&pwzDomainName, psu->wzDomain, 0); + ExitOnFailure(hr, "Failed to get domain from server name: %ls", psu->wzDomain); - er = ::NetUserGetInfo(wzDomain, psu->wzName, 0, reinterpret_cast(pUserInfo)); + er = ::NetUserGetInfo(pwzDomainName, psu->wzName, 0, reinterpret_cast(&pUserInfo)); if (NERR_Success == er) { ueUserExists = USER_EXISTS_YES; @@ -560,7 +535,7 @@ HRESULT ScaUserExecute( { ueUserExists = USER_EXISTS_INDETERMINATE; hr = HRESULT_FROM_WIN32(er); - WcaLog(LOGMSG_VERBOSE, "Failed to check existence of domain: %ls, user: %ls (error code 0x%x) - continuing", wzDomain, psu->wzName, hr); + WcaLog(LOGMSG_VERBOSE, "Failed to check existence of domain: %ls, user: %ls (error code 0x%x) - continuing", pwzDomainName, psu->wzName, hr); hr = S_OK; er = ERROR_SUCCESS; } @@ -685,11 +660,6 @@ HRESULT ScaUserExecute( ::NetApiBufferFree(static_cast(pUserInfo)); pUserInfo = NULL; } - if (pDomainControllerInfo) - { - ::NetApiBufferFree(static_cast(pDomainControllerInfo)); - pDomainControllerInfo = NULL; - } } LExit: @@ -697,14 +667,12 @@ LExit: ReleaseStr(pwzScriptKey); ReleaseStr(pwzActionData); ReleaseStr(pwzRollbackData); + ReleaseStr(pwzDomainName); + if (pUserInfo) { ::NetApiBufferFree(static_cast(pUserInfo)); } - if (pDomainControllerInfo) - { - ::NetApiBufferFree(static_cast(pDomainControllerInfo)); - } return hr; } -- cgit v1.2.3-55-g6feb