If the specified buffer size is too small, say so. Do not
attempt to copy data in that won't fit. Do not walk beyond
the end of the allocated memory.
Change-Id: Id4a75273d8ec9e9cc8471a963bc32f6cad59163e
Reviewed-on: http://gerrit.openafs.org/6140
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
HRESULT hr;
WCHAR *pwch;
DWORD dwCount = 0;
+ DWORD dwRequiredSize;
#ifdef AFS_DEBUG_TRACE
AFSDbgPrint( L"NPGetConnection drive substitution %s is AFS\n",
wchSubstName);
#endif
+ dwRequiredSize = wcslen( wchSubstName) * sizeof( WCHAR) + sizeof( WCHAR);
+
if ( lpRemoteName == NULL ||
- dwPassedSize == 0)
+ dwPassedSize == 0 ||
+ dwRequiredSize > *lpBufferSize)
{
- *lpBufferSize = wcslen( wchSubstName) * sizeof( WCHAR) + sizeof( WCHAR);
+ *lpBufferSize = dwRequiredSize;
try_return( dwStatus = WN_MORE_DATA);
if ( SUCCEEDED(hr))
{
- for ( dwCount = 0, pwch = lpRemoteName; *pwch; pwch++ )
+ for ( dwCount = 0, pwch = lpRemoteName; *pwch && pwch < lpRemoteName + (*lpBufferSize); pwch++ )
{
if ( *pwch == L'\\' )
{