From c0a33ddd82736d71faf2585495102fe1e4b88eb0 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Tue, 29 Oct 2013 08:24:06 -0400
Subject: [PATCH] Windows: Uninitialized TargetNameLength/Offset

In RDR_PopulateCurrentEntry it is possible for TargetNameLength and
TargetNameOffset to be uninitialized resulting in stack garbage being
returned to the redirector.  This can result in a blue screen.

Change-Id: Ifa306ba54bea3f26f1938cbd6bdc28521065299d
Reviewed-on: http://gerrit.openafs.org/10373
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
---
 src/WINNT/afsrdr/user/RDRFunction.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/WINNT/afsrdr/user/RDRFunction.c b/src/WINNT/afsrdr/user/RDRFunction.c
index 764635b..cb62204 100644
--- a/src/WINNT/afsrdr/user/RDRFunction.c
+++ b/src/WINNT/afsrdr/user/RDRFunction.c
@@ -584,11 +584,9 @@ RDR_PopulateCurrentEntry( IN  AFSDirEnumEntry * pCurrentEntry,
     if (!(dwFlags & RDR_POP_NO_GETSTATUS))
         cm_SyncOpDone( scp, NULL, CM_SCACHESYNC_NEEDCALLBACK | CM_SCACHESYNC_GETSTATUS);
 
-    if ((dwFlags & RDR_POP_NO_GETSTATUS) || !cm_HaveCallback(scp)) {
-        pCurrentEntry->TargetNameOffset = 0;
-        pCurrentEntry->TargetNameLength = 0;
-    }
-    else
+    pCurrentEntry->TargetNameOffset = 0;
+    pCurrentEntry->TargetNameLength = 0;
+    if (!(dwFlags & RDR_POP_NO_GETSTATUS) && cm_HaveCallback(scp)) {
     switch (scp->fileType) {
     case CM_SCACHETYPE_MOUNTPOINT:
 	{
@@ -644,12 +642,11 @@ RDR_PopulateCurrentEntry( IN  AFSDirEnumEntry * pCurrentEntry,
 
                 code2 = cm_HandleLink(scp, userp, reqp);
                 if (code2 == 0) {
-                    size_t wtarget_len = 0;
-
                     if (scp->mountPointStringp[0]) {
                         char * mp;
                         char * s;
                         size_t offset = 0;
+			size_t wtarget_len = 0;
 
                         len = strlen(scp->mountPointStringp) + 1;
                         mp = strdup(scp->mountPointStringp);
@@ -742,9 +739,9 @@ RDR_PopulateCurrentEntry( IN  AFSDirEnumEntry * pCurrentEntry,
                         }
 
                         free(mp);
-                    }
 
-                    pCurrentEntry->TargetNameLength = (ULONG)(sizeof(WCHAR) * (wtarget_len - 1));
+			pCurrentEntry->TargetNameLength = (ULONG)(sizeof(WCHAR) * (wtarget_len - 1));
+		    }
                 } else {
                     osi_Log2(afsd_logp, "RDR_PopulateCurrentEntry cm_HandleLink failed scp=0x%p code=0x%x",
                              scp, code2);
@@ -758,6 +755,7 @@ RDR_PopulateCurrentEntry( IN  AFSDirEnumEntry * pCurrentEntry,
         pCurrentEntry->TargetNameOffset = 0;
         pCurrentEntry->TargetNameLength = 0;
     }
+    }
     lock_ReleaseWrite(&scp->rw);
 
     dwEntryLength += pCurrentEntry->FileNameLength + pCurrentEntry->TargetNameLength;
-- 
1.9.4