Hi Eric, For security reason, when freeing your password buffers (see below), you shouldn't be using ZeroMemory() before free, but SecureZeroMemory() to zero the buffer. The first one can be optimized (and thus removed) by the compiler. The second cannot.
Cheers, Pierre Le 17/09/2018 à 16:36, Eric Kohl a écrit : > https://git.reactos.org/?p=reactos.git;a=commitdiff;h=5e2c4657ca10dea1154cb43f16ee6962999ac7a4 > > commit 5e2c4657ca10dea1154cb43f16ee6962999ac7a4 > Author: Eric Kohl <eric.k...@reactos.org> > AuthorDate: Mon Sep 17 16:34:48 2018 +0200 > Commit: Eric Kohl <eric.k...@reactos.org> > CommitDate: Mon Sep 17 16:34:48 2018 +0200 > > [ADVAPI32][SERVICES] Add (dummy) password encryption/decryption functions > to CreateServiceA/W and ChangeServiceConfigA/W in order to prepare to pass > encrypted passwords to the service manager > --- > base/system/services/config.c | 24 ++++++++ > base/system/services/rpcserver.c | 49 ++++++++++++++-- > base/system/services/services.h | 7 +++ > dll/win32/advapi32/service/scm.c | 123 > ++++++++++++++++++++++++++++++++------- > 4 files changed, 177 insertions(+), 26 deletions(-) > > diff --git a/base/system/services/rpcserver.c > b/base/system/services/rpcserver.c > index aa64233350..454181bb66 100644 > --- a/base/system/services/rpcserver.c > +++ b/base/system/services/rpcserver.c > @@ -2216,12 +2232,23 @@ RChangeServiceConfigW( > dwError = ERROR_SUCCESS; > > if (dwError != ERROR_SUCCESS) > + { > + DPRINT1("ScmSetServicePassword failed (Error %lu)\n", > dwError); > goto done; > + } > } > } > } > > done: > + if (lpClearTextPassword != NULL) > + { > + /* Wipe and release the password buffer */ > + ZeroMemory(lpClearTextPassword, > + (wcslen(lpClearTextPassword) + 1) * sizeof(WCHAR)); > + HeapFree(GetProcessHeap(), 0, lpClearTextPassword); > + } > + > if (hServiceKey != NULL) > RegCloseKey(hServiceKey); > > @@ -2612,6 +2645,14 @@ done: > if (hServiceKey != NULL) > RegCloseKey(hServiceKey); > > + if (lpClearTextPassword != NULL) > + { > + /* Wipe and release the password buffer */ > + ZeroMemory(lpClearTextPassword, > + (wcslen(lpClearTextPassword) + 1) * sizeof(WCHAR)); > + HeapFree(GetProcessHeap(), 0, lpClearTextPassword); > + } > + > if (dwError == ERROR_SUCCESS) > { > DPRINT("hService %p\n", hServiceHandle); -- Pierre Schweitzer <pierre at reactos.org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
