Cygwin: load_user_profile: fix use-after-free issue
In case of a local machine account login, pi.lpProfilePath points to the buffer returned by NetUserGetInfo, but NetApiBufferFree is called prior to calling LoadUserProfileW. Fix by copying over usri3_profile to the local userpath buffer, just as in the AD case. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
		| @@ -267,7 +267,11 @@ load_user_profile (HANDLE token, struct passwd *pw, cygpsid &usersid) | ||||
|       else | ||||
| 	{ | ||||
| 	  if (ui->usri3_profile && *ui->usri3_profile) | ||||
| 	    pi.lpProfilePath = ui->usri3_profile; | ||||
| 	    { | ||||
| 	      wcsncpy (userpath, ui->usri3_profile, MAX_PATH - 1); | ||||
| 	      userpath[MAX_PATH - 1] = L'\0'; | ||||
| 	      pi.lpProfilePath = userpath; | ||||
| 	    } | ||||
| 	  NetApiBufferFree (ui); | ||||
| 	} | ||||
|     } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user