[ros-diffs] [hpoussin] 24533: Correctly return FALSE in SeAccessCheck if access is not granted Don't always check the first ace in the DACL

hpoussin at svn.reactos.org hpoussin at svn.reactos.org
Mon Oct 16 01:31:17 CEST 2006 

Author: hpoussin
Date: Mon Oct 16 03:31:16 2006
New Revision: 24533

URL: http://svn.reactos.org/svn/reactos?rev=24533&view=rev
Log:
Correctly return FALSE in SeAccessCheck if access is not granted
Don't always check the first ace in the DACL

Modified:
    trunk/reactos/ntoskrnl/se/semgr.c

Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=24533&r1=24532&r2=24533&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/se/semgr.c (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c Mon Oct 16 03:31:16 2006
@@ -997,7 +997,7 @@
 
       *GrantedAccess = 0;
       *AccessStatus = STATUS_ACCESS_DENIED;
-      return TRUE;
+      return FALSE;
     }
 
   /* RULE 4: Grant rights according to the DACL */
@@ -1016,17 +1016,20 @@
 
 	      *GrantedAccess = 0;
 	      *AccessStatus = STATUS_ACCESS_DENIED;
-	      return TRUE;
+	      return FALSE;
 	    }
 	}
 
-      if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
+      else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
 	{
 	  if (SepSidInToken(Token, Sid))
 	    {
 	      CurrentAccess |= CurrentAce->AccessMask;
 	    }
 	}
+	else
+	  DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
+	CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
     }
 
   if (SubjectContextLocked == FALSE)
@@ -1039,10 +1042,18 @@
 
   *GrantedAccess = CurrentAccess & DesiredAccess;
 
-  *AccessStatus =
-    (*GrantedAccess == DesiredAccess) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;
-
-  return TRUE;
+  if (*GrantedAccess == DesiredAccess)
+    {
+      *AccessStatus = STATUS_SUCCESS;
+      return TRUE;
+    }
+  else
+    {
+      *AccessStatus = STATUS_ACCESS_DENIED;
+      DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
+        *GrantedAccess, DesiredAccess);
+      return TRUE; /* FIXME: should be FALSE */
+    }
 }

More information about the Ros-diffs mailing list