From: Joris van der Wel <joris@jorisvanderwel.com>
Subject: [2/4] server: Support sending process and thread security descriptors for the "new_process" request in the protocol.
Message-Id: <CA+CeSBcOgChK8i-GBnbXXZhzjctKxi632ZqrgOOu1PFrfMAqgQ@mail.gmail.com>
Date: Wed, 17 Sep 2014 16:18:08 +0200

server: Support sending process and thread security descriptors for
 the "new_process" request in the protocol.

---
 dlls/kernel32/process.c |  2 ++
 server/process.c        | 44 ++++++++++++++++++++++++++++++--------------
 server/protocol.def     |  4 ++++
 3 files changed, 36 insertions(+), 14 deletions(-)

From 450e214c9ba479ee769c40bde482953f792b4f93 Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris@jorisvanderwel.com>
Date: Wed, 17 Sep 2014 15:36:39 +0200
Subject: server: Support sending process and thread security descriptors for
 the "new_process" request in the protocol.

---
 dlls/kernel32/process.c |  2 ++
 server/process.c        | 44 ++++++++++++++++++++++++++++++--------------
 server/protocol.def     |  4 ++++
 3 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
index 301c64a..66e4a31 100644
--- a/dlls/kernel32/process.c
+++ b/dlls/kernel32/process.c
@@ -2034,6 +2034,8 @@ static BOOL create_process( HANDLE hFile, LPCWSTR filename, LPWSTR cmd_line, LPW
         req->thread_access  = THREAD_ALL_ACCESS;
         req->thread_attr    = (tsa && (tsa->nLength >= sizeof(*tsa)) && tsa->bInheritHandle) ? OBJ_INHERIT : 0;
         req->cpu            = cpu;
+        req->process_sd_size= 0;
+        req->thread_sd_size = 0;
         req->info_size      = startup_info_size;
 
         wine_server_add_data( req, startup_info, startup_info_size );
diff --git a/server/process.c b/server/process.c
index 7b9a3b2..110a38f 100644
--- a/server/process.c
+++ b/server/process.c
@@ -880,6 +880,24 @@ DECL_HANDLER(new_process)
     struct process *process;
     struct process *parent = current->process;
     int socket_fd = thread_get_inflight_fd( current, req->socket_fd );
+    const startup_info_t *req_info;
+    data_size_t req_info_size;
+    const WCHAR *req_env;
+    data_size_t req_env_size;
+
+    if (req->process_sd_size > get_req_data_size() ||
+        req->thread_sd_size > get_req_data_size() - req->process_sd_size ||
+        req->info_size > get_req_data_size() - req->process_sd_size - req->thread_sd_size)
+    {
+        close( socket_fd );
+        return;
+    }
+
+    req_info = (const startup_info_t *)
+               ((char*)get_req_data() + req->process_sd_size + req->thread_sd_size);
+    req_env = (const WCHAR *)
+              ((char*)get_req_data() + req->process_sd_size + req->thread_sd_size + req->info_size);
+    req_env_size = get_req_data_size() - (req->process_sd_size + req->thread_sd_size + req->info_size);
 
     if (socket_fd == -1)
     {
@@ -920,27 +938,25 @@ DECL_HANDLER(new_process)
         !(info->exe_file = get_file_obj( current->process, req->exe_file, FILE_READ_DATA )))
         goto done;
 
-    info->data_size = get_req_data_size();
-    info->info_size = min( req->info_size, info->data_size );
-
     if (req->info_size < sizeof(*info->data))
     {
         /* make sure we have a full startup_info_t structure */
-        data_size_t env_size = info->data_size - info->info_size;
-        data_size_t info_size = min( req->info_size, FIELD_OFFSET( startup_info_t, curdir_len ));
-
-        if (!(info->data = mem_alloc( sizeof(*info->data) + env_size ))) goto done;
-        memcpy( info->data, get_req_data(), info_size );
-        memset( (char *)info->data + info_size, 0, sizeof(*info->data) - info_size );
-        memcpy( info->data + 1, (const char *)get_req_data() + req->info_size, env_size );
-        info->info_size = sizeof(startup_info_t);
-        info->data_size = info->info_size + env_size;
+        info->info_size = sizeof(*info->data);
+        info->data_size = sizeof(*info->data) + req_env_size;
+        
+        req_info_size = min( req->info_size, FIELD_OFFSET( startup_info_t, curdir_len ));
+        if (!(info->data = mem_alloc( info->data_size ))) goto done;
+        memset( info->data, 0, info->data_size );
+        memcpy( info->data, req_info, req_info_size );
+        memcpy( info->data + 1, req_env, req_env_size );
     }
     else
     {
         data_size_t pos = sizeof(*info->data);
-
-        if (!(info->data = memdup( get_req_data(), info->data_size ))) goto done;
+        info->info_size = req->info_size;
+        info->data_size = req->info_size + req_env_size;
+ 
+        if (!(info->data = memdup( req_info, info->data_size ))) goto done;
 #define FIXUP_LEN(len) do { (len) = min( (len), info->info_size - pos ); pos += (len); } while(0)
         FIXUP_LEN( info->data->curdir_len );
         FIXUP_LEN( info->data->dllpath_len );
diff --git a/server/protocol.def b/server/protocol.def
index c9270ea..dca98a4 100644
--- a/server/protocol.def
+++ b/server/protocol.def
@@ -670,7 +670,11 @@ struct rawinput_device
     unsigned int thread_access;  /* access rights for thread object */
     unsigned int thread_attr;    /* attributes for thread object */
     cpu_type_t   cpu;            /* CPU that the new process will use */
+    data_size_t  process_sd_size;/* size of the process security descriptor */
+    data_size_t  thread_sd_size; /* size of the thread security descriptor */
     data_size_t  info_size;      /* size of startup info */
+    VARARG(process_sd,security_descriptor,process_sd_size); /* security descriptor to set on the process */
+    VARARG(thread_sd,security_descriptor,thread_sd_size); /* security descriptor to set on the thread */
     VARARG(info,startup_info,info_size); /* startup information */
     VARARG(env,unicode_str);     /* environment for new process */
 @REPLY
-- 
1.8.1.msysgit.1