GetSecurityDescriptor recursive loop

Jul 9, 2009 at 1:06 PM

In the current implementation of the GetSecurityDescriptor the search engine will get in a unending recursive loop if the ACl is larger then 1024 bytes. (about 40 logins)

This is because when the ACL is larger the HRESULT.ERROR_INSUFFICIENT_BUFFER error is thrown, but contains the incorrect value. Therefor the size is not adjusted and will result in another HRESULT.ERROR_INSUFFICIENT_BUFFER.

To fix this change the following in the HRESULT enumeration:


must be:


After this change everything works smoothly.

I did dig 2 days into this before I found the comment from tatsuki on this page:

It seems my two days are nothing compared to his couple of months tracking this :).