From ebcacdec7a825a397191a5ba20258fec149f5b01 Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=A9r=C3=B4me=20Gardou?= <jerome.gardou@reactos.org>
Date: Wed, 8 Oct 2014 19:50:14 +0000
Subject: [PATCH 1/1] [NTOS/SE]  - Correctly reference/dereference token object
 when the set token is already in use.

svn path=/trunk/; revision=64619
---
 reactos/ntoskrnl/se/token.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/reactos/ntoskrnl/se/token.c b/reactos/ntoskrnl/se/token.c
index f476cd64e8d..4acfb34b095 100644
--- a/reactos/ntoskrnl/se/token.c
+++ b/reactos/ntoskrnl/se/token.c
@@ -243,19 +243,28 @@ SeExchangePrimaryToken(PEPROCESS Process,
         if (OldToken == NewToken)
         {
             /* So it's a nop. */
-            PsDereferencePrimaryToken(OldToken);
+            *OldTokenP = OldToken;
             return STATUS_SUCCESS;
         }
 
         Status = SepCompareTokens(OldToken, NewToken, &IsEqual);
         if (!NT_SUCCESS(Status))
         {
+            *OldTokenP = NULL;
             PsDereferencePrimaryToken(OldToken);
             return Status;
         }
 
-        PsDereferencePrimaryToken(OldToken);
-        return IsEqual ? STATUS_SUCCESS : STATUS_TOKEN_ALREADY_IN_USE;
+        if (!IsEqual)
+        {
+            *OldTokenP = NULL;
+            PsDereferencePrimaryToken(OldToken);
+            return STATUS_TOKEN_ALREADY_IN_USE;
+        }
+        /* Silently return STATUS_SUCCESS but do not set the new token,
+         * as it's already in use elsewhere. */
+        *OldTokenP = OldToken;
+        return STATUS_SUCCESS;
     }
 
     /* Mark new token in use */
-- 
2.17.1