public inbox for cygwin-cvs@sourceware.org
help / color / mirror / Atom feed
* [newlib-cygwin] Cygwin: load_user_profile: fix use-after-free issue
@ 2019-03-01 20:09 Corinna Vinschen
0 siblings, 0 replies; only message in thread
From: Corinna Vinschen @ 2019-03-01 20:09 UTC (permalink / raw)
To: cygwin-cvs
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=7ba9d12a72a722e0f20a80716dbeaf293e66a714
commit 7ba9d12a72a722e0f20a80716dbeaf293e66a714
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Fri Mar 1 21:04:02 2019 +0100
Cygwin: load_user_profile: fix use-after-free issue
In case of a local machine account login, pi.lpProfilePath points
to the buffer returned by NetUserGetInfo, but NetApiBufferFree
is called prior to calling LoadUserProfileW. Fix by copying over
usri3_profile to the local userpath buffer, just as in the AD case.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/sec_auth.cc | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 0b5e112..077b37c 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -267,7 +267,11 @@ load_user_profile (HANDLE token, struct passwd *pw, cygpsid &usersid)
else
{
if (ui->usri3_profile && *ui->usri3_profile)
- pi.lpProfilePath = ui->usri3_profile;
+ {
+ wcsncpy (userpath, ui->usri3_profile, MAX_PATH - 1);
+ userpath[MAX_PATH - 1] = L'\0';
+ pi.lpProfilePath = userpath;
+ }
NetApiBufferFree (ui);
}
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-03-01 20:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-01 20:09 [newlib-cygwin] Cygwin: load_user_profile: fix use-after-free issue Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).