diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2019-03-01 23:04:02 +0300 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2019-03-01 23:08:44 +0300 |
| commit | 7ba9d12a72a722e0f20a80716dbeaf293e66a714 (patch) | |
| tree | 28f5129a43adbaf6a323c4529619540287b204f8 | |
| parent | 6aef5a46d7f22841e6a859103bb3f8acea060b84 (diff) | |
Cygwin: load_user_profile: fix use-after-free issue
In case of a local machine account login, pi.lpProfilePath points
to the buffer returned by NetUserGetInfo, but NetApiBufferFree
is called prior to calling LoadUserProfileW. Fix by copying over
usri3_profile to the local userpath buffer, just as in the AD case.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
| -rw-r--r-- | winsup/cygwin/sec_auth.cc | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 0b5e11238..077b37ced 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -267,7 +267,11 @@ load_user_profile (HANDLE token, struct passwd *pw, cygpsid &usersid) else { if (ui->usri3_profile && *ui->usri3_profile) - pi.lpProfilePath = ui->usri3_profile; + { + wcsncpy (userpath, ui->usri3_profile, MAX_PATH - 1); + userpath[MAX_PATH - 1] = L'\0'; + pi.lpProfilePath = userpath; + } NetApiBufferFree (ui); } } |