Release DACL after the named pipe was created

src/shared/Communication.cpp

 #include <Windows.h>
 #include <Lmcons.h>
 #include <Sddl.h>
 #include <aclapi.h>
 #include <strsafe.h>
 
 #include "AutoHandle.h"
 #include "Communication.h"
 #include "Utils.h"
 
@@ skipping 82 matching lines @@
       sharedAllAppContainersSid.reset(static_cast<SID*>(allAppContainersSid), FreeSid); // Just to simplify cleanup
 
       explicitAccess[1].grfAccessPermissions = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
       explicitAccess[1].grfAccessMode = SET_ACCESS;
       explicitAccess[1].grfInheritance= NO_INHERITANCE;
       explicitAccess[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
       explicitAccess[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
       explicitAccess[1].Trustee.ptstrName = static_cast<LPWSTR>(allAppContainersSid);
 
       PACL acl = 0;
+      // acl has to be released after this
       if (SetEntriesInAcl(2, explicitAccess, 0, &acl) != ERROR_SUCCESS)
         return std::auto_ptr<SECURITY_DESCRIPTOR>(0);
-      std::tr1::shared_ptr<ACL> sharedAcl(static_cast<ACL*>(acl), LocalFree); // Just to simplify cleanup
 
+      // This only references the acl, not copies it
       if (!SetSecurityDescriptorDacl(securityDescriptor.get(), TRUE, acl, FALSE))
         return std::auto_ptr<SECURITY_DESCRIPTOR>(0);
-
     }
 
     // Create a dummy security descriptor with low integrirty preset and copy its SACL into ours
     LPCWSTR accessControlEntry = L"S:(ML;;NW;;;LW)";
     PSECURITY_DESCRIPTOR dummySecurityDescriptorLow;
     ConvertStringSecurityDescriptorToSecurityDescriptorW(accessControlEntry, SDDL_REVISION_1, &dummySecurityDescriptorLow, 0);
     std::tr1::shared_ptr<SECURITY_DESCRIPTOR> sharedDummySecurityDescriptor(static_cast<SECURITY_DESCRIPTOR*>(dummySecurityDescriptorLow), LocalFree); // Just to simplify cleanup
     BOOL saclPresent = FALSE;
     BOOL saclDefaulted = FALSE;
     PACL sacl;
     GetSecurityDescriptorSacl(dummySecurityDescriptorLow, &saclPresent, &sacl, &saclDefaulted);
     if (saclPresent)
     {
       if (!SetSecurityDescriptorSacl(securityDescriptor.get(), TRUE, sacl, FALSE))
       {
         DWORD err = GetLastError();
         return std::auto_ptr<SECURITY_DESCRIPTOR>(0);
       }
     }
 
     return securityDescriptor;
   }
 }
 
+  // Releases the DACL structure in the provided security descriptor
+  void ReleaseDacl(PSECURITY_DESCRIPTOR securityDescriptor)
+  {
+    BOOL aclPresent = FALSE;
+    BOOL aclDefaulted = FALSE;
+    PACL acl;
+    GetSecurityDescriptorDacl(securityDescriptor, &aclPresent, &acl, &aclDefaulted);
+    if (aclPresent)
+    {
+      LocalFree(acl);
+    }
+  }
 const std::wstring Communication::pipeName = L"\\\\.\\pipe\\adblockplusengine_" + GetUserName();
 
 void Communication::InputBuffer::CheckType(Communication::ValueType expectedType)
 {
   if (!hasType)
     ReadBinary(currentType);
 
   if (currentType != expectedType)
   {
     // Make sure we don't attempt to read the type again
@@ skipping 31 matching lines @@
 Communication::Pipe::Pipe(const std::wstring& pipeName, Communication::Pipe::Mode mode)
 {
   pipe = INVALID_HANDLE_VALUE;
   if (mode == MODE_CREATE)
   {
     SECURITY_ATTRIBUTES securityAttributes = {};
     securityAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
     securityAttributes.bInheritHandle = TRUE;
 
     std::tr1::shared_ptr<SECURITY_DESCRIPTOR> sharedSecurityDescriptor; // Just to simplify cleanup
-
+  
     AutoHandle token;
     OpenProcessToken(GetCurrentProcess(), TOKEN_READ, token);
     
     if (IsWindowsVistaOrLater())
     {
       std::auto_ptr<SID> logonSid = GetLogonSid(token);
       // Create a SECURITY_DESCRIPTOR that has both Low Integrity and allows access to all AppContainers
       // This is needed since IE likes to jump out of Enhanced Protected Mode for specific pages (bing.com)
+
+      // ATTENTION: DACL in the returned securityDescriptor has to be manually released by ReleaseDacl
       std::auto_ptr<SECURITY_DESCRIPTOR> securityDescriptor = CreateSecurityDescriptor(logonSid.get());
+
       securityAttributes.lpSecurityDescriptor = securityDescriptor.release();
       sharedSecurityDescriptor.reset(static_cast<SECURITY_DESCRIPTOR*>(securityAttributes.lpSecurityDescriptor));
     }
     pipe = CreateNamedPipeW(pipeName.c_str(),  PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
       PIPE_UNLIMITED_INSTANCES, bufferSize, bufferSize, 0, &securityAttributes);
+
+    if (IsWindowsVistaOrLater())
+    {
+      ReleaseDacl(securityAttributes.lpSecurityDescriptor);
+    }
   }
   else
   {
     pipe = CreateFileW(pipeName.c_str(), GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
     if (pipe == INVALID_HANDLE_VALUE && GetLastError() == ERROR_PIPE_BUSY)
     {
       if (!WaitNamedPipeW(pipeName.c_str(), 10000))
         throw PipeBusyError();
 
       pipe = CreateFileW(pipeName.c_str(), GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
     }
   }
 
   if (pipe == INVALID_HANDLE_VALUE)
     throw PipeConnectionError();
 
   DWORD pipeMode = PIPE_READMODE_MESSAGE | PIPE_WAIT;
   if (!SetNamedPipeHandleState(pipe, &pipeMode, 0, 0))
-    throw std::runtime_error("SetNamedPipeHandleState failed: error " + GetLastError());
+    throw std::runtime_error(AppendErrorCode("SetNamedPipeHandleState failed"));
 
   if (mode == MODE_CREATE && !ConnectNamedPipe(pipe, 0))
   {
     DWORD err = GetLastError();
-    throw std::runtime_error("Client failed to connect: error " + GetLastError());
+    throw std::runtime_error(AppendErrorCode("Client failed to connect"));
   }
 }
 
 Communication::Pipe::~Pipe()
 {
   CloseHandle(pipe);
 }
 
 Communication::InputBuffer Communication::Pipe::ReadMessage()
 {
@@ skipping 25 matching lines @@
   return Communication::InputBuffer(stream.str());
 }
 
 void Communication::Pipe::WriteMessage(Communication::OutputBuffer& message)
 {
   DWORD bytesWritten;
   std::string data = message.Get();
   if (!WriteFile(pipe, data.c_str(), static_cast<DWORD>(data.length()), &bytesWritten, 0))
     throw std::runtime_error("Failed to write to pipe");
 }