DEVEL15-windows-pioctl-buffer-overrun-20070609

this patch protects against a buffer overrun in the client if the
server were to send more data than the receiving buffer can hold.

(cherry picked from commit 8a814a5596e9d8db1c24326715f794ae46966b3b)

diff --git a/src/sys/pioctl_nt.c b/src/sys/pioctl_nt.c
index 05486c7..8f2b940 100644 (file)
--- a/src/sys/pioctl_nt.c
+++ b/src/sys/pioctl_nt.c
@@ -991,6 +991,10 @@ pioctl(char *pathp, long opcode, struct ViceIoctl *blobp, int follow)
 
     MarshallString(&preq, fullPath);
     if (blobp->in_size) {
+        if (blobp->in_size > sizeof(preq.data) - (preq.mp - preq.data)*sizeof(char)) {
+            errno = E2BIG;
+            return -1;
+        }
        memcpy(preq.mp, blobp->in, blobp->in_size);
        preq.mp += blobp->in_size;
     }