https://git.reactos.org/?p=reactos.git;a=commitdiff;h=3b00f98b94165420198f2447b14cc98fa3a5f2c0
commit 3b00f98b94165420198f2447b14cc98fa3a5f2c0 Author: George Bișoc <[email protected]> AuthorDate: Tue Aug 16 20:27:27 2022 +0200 Commit: George Bișoc <[email protected]> CommitDate: Tue Aug 16 20:27:27 2022 +0200 [NTOS:SE] Fix new dynamic length calculation in TokenPrimaryGroup case Not only primary group assignation was broken but new dynamic length calculation is also broken. The length of the captured SID is not taken into account so the new dynamic length gets only the size of the default ACL present in an access token. Therefore, the condition is always FALSE and the code never jumps to the STATUS_ALLOTTED_SPACE_EXCEEDED branch because the length will always be small than the charged dynamic length. Addendum to 86bde3c. --- ntoskrnl/se/tokencls.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ntoskrnl/se/tokencls.c b/ntoskrnl/se/tokencls.c index 34127c477f2..6c40a72ccd1 100644 --- a/ntoskrnl/se/tokencls.c +++ b/ntoskrnl/se/tokencls.c @@ -1259,8 +1259,8 @@ NtSetInformationToken( * to do so. Exceeding this boundary and we're * busted out. */ - NewDynamicLength = RtlLengthSid(CapturedSid) + - Token->DefaultDacl ? Token->DefaultDacl->AclSize : 0; + AclSize = Token->DefaultDacl ? Token->DefaultDacl->AclSize : 0; + NewDynamicLength = RtlLengthSid(CapturedSid) + AclSize; if (NewDynamicLength > Token->DynamicCharged) { SepReleaseTokenLock(Token); @@ -1317,7 +1317,6 @@ NtSetInformationToken( * has a default DACL then add up its size with * the address of the dynamic part. */ - AclSize = Token->DefaultDacl ? Token->DefaultDacl->AclSize : 0; PrimaryGroup = (ULONG_PTR)(Token->DynamicPart) + AclSize; RtlCopySid(RtlLengthSid(Token->UserAndGroups[PrimaryGroupIndex].Sid), (PVOID)PrimaryGroup,
