Incorrect Memory Allocation for DACL in createWindowsDACL() Function

[idrassi]

Overview

There is a bug in the createWindowsDACL() function where the memory allocation for the DACL is incorrectly calculated. This miscalculation leads to insufficient memory allocation for the ACCESS_ALLOWED_ACE structures, potentially causing buffer overflows and undefined behavior when these structures are used.

Expected Behavior

The function should allocate sufficient memory for the DACL by including the size of the ACCESS_ALLOWED_ACE structure for each ACE in the total memory calculation. The correct calculation should sum up the sizes of the ACL, all ACCESS_ALLOWED_ACE structures, and the SIDs involved.

Actual Behavior

The current implementation of the createWindowsDACL() function incorrectly calculates the total memory required for the DACL. The existing code is:

cbACL = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid)
        + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pLocalSystemSid) + GetLengthSid(pOwnerRightsSid);

This calculation mistakenly adds the size of ACCESS_ALLOWED_ACE twice while adding the lengths of all three SIDs.

Context

Discovered during code review

[droidmonkey]

Ugh, this precacluation of the size is so archaic.