Hi Qian,

On Apr  1 18:15, Qian Hong wrote:
> Hi folks,
> 
> When playing with Cygwin / MSYS2 on Wine, I found a crashing related
> to LsaLookupSids.
> 
> 
> In winsup/cygwin/uinfo.cc, we want to copy an Unicode string from
> arg.full_acc->dom to dom:
> 
> 1768     *wcpncpy (dom, arg.full_acc->dom->Buffer,
> 1769           arg.full_acc->dom->Length / sizeof (WCHAR)) = L'\0';
> 
> where arg.full_acc->dom->Buffer came from dlst->Domains[nlst[ncnt].DomainIndex]
> 
> winsup/cygwin/grp.cc:
> 
> 650           fetch_acc_t full_acc =
> 651         {
> 652           .sid = sidp_buf[ncnt],
> 653           .name = &nlst[ncnt].Name,
> 654           .dom = &dlst->Domains[nlst[ncnt].DomainIndex].Name,
> 655           .acc_type = nlst[ncnt].Use
> 656         };
> 
> According to my test [1]. DomainIndex can be -1 sometimes, which seems
> valid according to a similar MSDN entry [2]:

Ouch.  I missed this hint in the description of LsaLookupSids:

  DomainIndex

    [...]
    If there is no corresponding domain for an account, this member
    contains a negative value.

> On windows, I never found crashing when accessing to Domains[-1]:
> While it might be safe, but it might not be meaningful, here is an
> example output of content of Domains[-1]:
> 
> lsa.c:431: haha names[8].DomainIndex -1
> lsa.c:432: use 8 /* SidTypeUnknown */
> lsa.c:433: name L"S-1-5-5-0-117053"
> lsa.c:434: domain name L"\0000\0002\08c0" /* seems like garbage */
> lsa.c:436: domain sid 00000020 /* not like a valid sid */

Ok, that makes sense.  This is a logon SID, a session-unique SID created
at logon time.  Not looking for invalid domain refs is clearly a bug in
Cygwin.  Since, as you said, Windows doesn't crash when accessing
ReferencedDomains[-1], I never noticed it.  I'll fix that and upload a
new Cygwin snapshot to https://cygwin.com/snapshots/ later today.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat