commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r903406 - /commons/sandbox/runtime/trunk/src/main/native/support/win32/wsuexec.c
Date Tue, 26 Jan 2010 20:42:19 GMT
Author: mturk
Date: Tue Jan 26 20:42:13 2010
New Revision: 903406

URL: http://svn.apache.org/viewvc?rev=903406&view=rev
Log:
Guard against direct calls

Modified:
    commons/sandbox/runtime/trunk/src/main/native/support/win32/wsuexec.c

Modified: commons/sandbox/runtime/trunk/src/main/native/support/win32/wsuexec.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/support/win32/wsuexec.c?rev=903406&r1=903405&r2=903406&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/support/win32/wsuexec.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/support/win32/wsuexec.c Tue Jan 26 20:42:13
2010
@@ -1403,6 +1403,17 @@
     }
 }
 
+static LPWSTR GetProcessExecutableName(HANDLE hProcess)
+{
+    WCHAR szName[8192];
+    DWORD cbName = 8192;
+
+    if (GetProcessImageFileNameW(hProcess, szName, cbName) < cbName)
+        return wcsdup(szName);
+    else
+        return NULL;
+}
+
 #define MIN(a, b) (a) < (b) ? (a) : (b)
 
 static LPWCH GetSafeEnvironmentBlock(LPCWSTR szExtVars)
@@ -1593,6 +1604,7 @@
     LPWSTR *args = NULL;
     LPWSTR *argv = NULL;
     LPWSTR  cmdline = NULL;
+    LPWSTR  szCurrentImageName = NULL;
     WCHAR   szVmsMem[RESOURCE_NAME_LEN] = L"";
     WCHAR   szPassword[RESOURCE_USER_LEN] = L"";
     HANDLE  hJobObject     = NULL;
@@ -1654,6 +1666,12 @@
         DBG_PRINTF((__LINE__, "[ERROR] GetCurrentAccessToken err=%d", GetLastError()));
         goto cleanup;
     }
+    szCurrentImageName = GetProcessExecutableName(hCurrentProcess);
+    if (szCurrentImageName == NULL) {
+        rc = GWEXITERROR();
+        DBG_PRINTF((__LINE__, "[ERROR] GetProcessExecutableName err=%d", GetLastError()));
+        goto cleanup;
+    }
     EnableSysPrivileges(hToken);
     GetTokenSessionId(hToken, &dwSourceSessionId);
     /* Supress unwanted session switch */
@@ -1847,6 +1865,7 @@
         argc += 2;
     }
     else if (dwParentPid) {
+        LPWSTR szParentImageName;
         if (!lpVmsPtr) {
             /* We don't have the valid
              * for the supplied parent
@@ -1861,6 +1880,20 @@
             DBG_PRINTF((__LINE__, "[ERROR] OpenProcess %d err=%d", dwParentPid, GetLastError()));
             goto cleanup;
         }
+        szParentImageName = GetProcessExecutableName(hParent);
+        if (szParentImageName == NULL) {
+            rc = GWEXITERROR();
+            DBG_PRINTF((__LINE__, "[ERROR] GetProcessExecutableName %d err=%d", dwParentPid,
GetLastError()));
+            goto cleanup;
+        }
+        if (wcscmp(szParentImageName, szCurrentImageName)) {
+            /* Somone tried to call us directly with shared memory data?
+             */
+                rc = RWEXITERROR(ERROR_ACCESS_DENIED);
+            DBG_PRINTF((__LINE__, "[ERROR] Different parent %S", szParentImageName));
+            goto cleanup;
+        }
+        x_free(szParentImageName);
         if (!ReadProcessMemory(hParent, lpVmsPtr,
                                lpForkData, sizeof(FORK_DATA), NULL)) {
             rc = GWEXITERROR();
@@ -2124,21 +2157,21 @@
              * immediately from DllMain
              */
             if (IS_VALID_HANDLE(hPpipe[PIPE_STDINP_RPC])) {
-                int fd = _open_osfhandle((ptrdiff_t)hPpipe[PIPE_STDINP_RPC], _O_RDONLY);
+                int fd = _open_osfhandle((ptrdiff_t)hPpipe[PIPE_STDINP_RPC], _O_RDONLY |
_O_BINARY);
                 if (fd > 0)
-                    dup2(fd, 0);
+                    fd = dup2(fd, 0);
                 hPpipe[PIPE_STDINP_RPC] = NULL;
             }
             if (IS_VALID_HANDLE(hPpipe[PIPE_STDOUT_RPC])) {
-                int fd = _open_osfhandle((ptrdiff_t)hPpipe[PIPE_STDOUT_RPC], _O_WRONLY);
+                int fd = _open_osfhandle((ptrdiff_t)hPpipe[PIPE_STDOUT_RPC], _O_WRONLY |
_O_BINARY);
                 if (fd > 1)
-                    dup2(fd, 1);
+                    fd = dup2(fd, 1);
                 hPpipe[PIPE_STDOUT_RPC] = NULL;
             }
             if (IS_VALID_HANDLE(hPpipe[PIPE_STDERR_RPC])) {
-                int fd = _open_osfhandle((ptrdiff_t)hPpipe[PIPE_STDERR_RPC], _O_WRONLY);
+                int fd = _open_osfhandle((ptrdiff_t)hPpipe[PIPE_STDERR_RPC], _O_WRONLY |
_O_BINARY);
                 if (fd > 2)
-                    dup2(fd, 2);
+                    fd = dup2(fd, 2);
                 hPpipe[PIPE_STDERR_RPC] = NULL;
             }
             DBG_PRINTF((__LINE__, "[INFO] LoadLibrary dll=%S func=%s", argv[0], lpForkData->szDllEntry));
@@ -2604,6 +2637,7 @@
         /* Close OVERLAPPED events */
         SAFE_CLOSE_HANDLE(sbOvlp[i].o.hEvent);
     }
+    x_free(szCurrentImageName);
     FreeArrayAndElements(args);
     if (lpForkData) {
         VirtualFree(lpForkData, 0, MEM_RELEASE);



Mime
View raw message