Merge pull request #6980 from chef/btm/fix-lsa-heap-corruption

Pass pointer to LsaFreeMemory, not FFI::MemoryPointer
author: Tim Smith <tsmith@chef.io> 2018-03-14 11:20:23 -0700
committer: GitHub <noreply@github.com> 2018-03-14 11:20:23 -0700
commit: a4ba132c7ed162ea7845bf405255614d84117703 (patch)
tree: 21189e1c092c0434aea910d99baf44376758cefa
parent: 02775faa30db6a9ae98597cb6cd0e0c4defa7dc4 (diff)
parent: d649ac65ac1958876794b18fcfad40da89c6a42d (diff)
download: chef-a4ba132c7ed162ea7845bf405255614d84117703.tar.gz
1 files changed, 14 insertions, 16 deletions
diff --git a/lib/chef/win32/security.rb b/lib/chef/win32/security.rb
index 821d81ef81..f175511354 100644
--- a/lib/chef/win32/security.rb
+++ b/lib/chef/win32/security.rb
@@ -113,10 +113,7 @@ class Chef
 
         with_lsa_policy(name) do |policy_handle, sid|
           result = LsaAddAccountRights(policy_handle.read_pointer, sid, privilege_pointer, 1)
-          win32_error = LsaNtStatusToWinError(result)
-          if win32_error != 0
-            Chef::ReservedNames::Win32::Error.raise!(nil, win32_error)
-          end
+          test_and_raise_lsa_nt_status(result)
         end
       end
 
@@ -190,15 +187,14 @@ class Chef
           result = LsaEnumerateAccountRights(policy_handle.read_pointer, sid, privilege_pointer, privilege_length)
           win32_error = LsaNtStatusToWinError(result)
           return [] if win32_error == 2 # FILE_NOT_FOUND - No rights assigned
-          if win32_error != 0
-            Chef::ReservedNames::Win32::Error.raise!(nil, win32_error)
-          end
+          test_and_raise_lsa_nt_status(result)
 
           privilege_length.read_ulong.times do |i|
             privilege = LSA_UNICODE_STRING.new(privilege_pointer.read_pointer + i * LSA_UNICODE_STRING.size)
             privileges << privilege[:Buffer].read_wstring
           end
-          LsaFreeMemory(privilege_pointer)
+          result = LsaFreeMemory(privilege_pointer.read_pointer)
+          test_and_raise_lsa_nt_status(result)
         end
 
         privileges
@@ -611,18 +607,13 @@ class Chef
 
         policy_handle = FFI::MemoryPointer.new(:pointer)
         result = LsaOpenPolicy(nil, LSA_OBJECT_ATTRIBUTES.new, access, policy_handle)
-        win32_error = LsaNtStatusToWinError(result)
-        if win32_error != 0
-          Chef::ReservedNames::Win32::Error.raise!(nil, win32_error)
-        end
+        test_and_raise_lsa_nt_status(result)
 
         begin
           yield policy_handle, sid.pointer
         ensure
-          win32_error = LsaNtStatusToWinError(LsaClose(policy_handle.read_pointer))
-          if win32_error != 0
-            Chef::ReservedNames::Win32::Error.raise!(nil, win32_error)
-          end
+          result = LsaClose(policy_handle.read_pointer)
+          test_and_raise_lsa_nt_status(result)
         end
       end
 
@@ -676,6 +667,13 @@ class Chef
         end
         Token.new(Handle.new(token.read_pointer))
       end
+
+      def test_and_raise_lsa_nt_status(result)
+        win32_error = LsaNtStatusToWinError(result)
+        if win32_error != 0
+          Chef::ReservedNames::Win32::Error.raise!(nil, win32_error)
+        end
+      end
     end
   end
 end
author	Tim Smith <tsmith@chef.io>	2018-03-14 11:20:23 -0700
committer	GitHub <noreply@github.com>	2018-03-14 11:20:23 -0700
commit	a4ba132c7ed162ea7845bf405255614d84117703 (patch)
tree	21189e1c092c0434aea910d99baf44376758cefa
parent	02775faa30db6a9ae98597cb6cd0e0c4defa7dc4 (diff)
parent	d649ac65ac1958876794b18fcfad40da89c6a42d (diff)
download	chef-a4ba132c7ed162ea7845bf405255614d84117703.tar.gz