afs: Use correct output buffer for FSCmd pioctl

MRAFS added the FsCmd pioctl for passing messages to the fileserver;
a bug causes it to write into the wrong memory and potentially panic
clients.

FIXES 131896 (CVE-2015-3285)

Change-Id: Ic3a81fe06edc886f24bbc0537ea53e994b086c9e

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 7cdc075..917296a 100644 (file)
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -5065,8 +5065,7 @@ DECL_PIOCTL(PFsCmd)
            if (tc) {
                RX_AFS_GUNLOCK();
                code =
-                   RXAFS_FsCmd(rxconn, Fid, Inputs,
-                                       (struct FsCmdOutputs *)aout);
+                   RXAFS_FsCmd(rxconn, Fid, Inputs, Outputs);
                RX_AFS_GLOCK();
            } else
                code = -1;