https://git.reactos.org/?p=reactos.git;a=commitdiff;h=96761885432e19d4035922178e56c4c49f844153
commit 96761885432e19d4035922178e56c4c49f844153 Author: Hermès Bélusca-Maïto <[email protected]> AuthorDate: Sun May 22 18:33:46 2022 +0200 Commit: Hermès Bélusca-Maïto <[email protected]> CommitDate: Mon May 23 19:30:36 2022 +0200 [NTOS:SE] NtAdjustGroupsToken(): Avoid double-free on ObReferenceObjectByHandle failure path (#4523) --- ntoskrnl/se/token.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c index aad1321abd6..65018f60f3f 100644 --- a/ntoskrnl/se/token.c +++ b/ntoskrnl/se/token.c @@ -5256,7 +5256,6 @@ NtAdjustGroupsToken( ULONG NewStateSize = 0; PSID_AND_ATTRIBUTES CapturedGroups = NULL; BOOLEAN ChangesMade = FALSE; - BOOLEAN LockAndReferenceAcquired = FALSE; PAGED_CODE(); @@ -5363,12 +5362,11 @@ NtAdjustGroupsToken( TRUE); } - goto Quit; + return Status; } /* Lock the token */ SepAcquireTokenLockExclusive(Token); - LockAndReferenceAcquired = TRUE; /* Count the number of groups to be changed */ Status = SepAdjustGroups(Token, @@ -5442,13 +5440,9 @@ Quit: ExAllocateLocallyUniqueId(&Token->ModifiedId); } - /* Have we successfully acquired the lock and referenced the token before? */ - if (LockAndReferenceAcquired) - { - /* Unlock and dereference the token */ - SepReleaseTokenLock(Token); - ObDereferenceObject(Token); - } + /* Unlock and dereference the token */ + SepReleaseTokenLock(Token); + ObDereferenceObject(Token); /* Release the captured groups */ if (CapturedGroups != NULL)
