Windows: AFSParseMountPointTarget buffer overrun
authorJeffrey Altman <jaltman@your-file-system.com>
Wed, 4 Jan 2012 06:10:37 +0000 (01:10 -0500)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Wed, 11 Jan 2012 03:52:15 +0000 (19:52 -0800)
When parsing the AFS mount point string do not overrun
the buffer if the colon cell/volume separator is not
found.

Change-Id: Id7275cc8815223730f7c39bd11a6f495beb117c4
Reviewed-on: http://gerrit.openafs.org/6507
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>

src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp

index 2354043..29dc20f 100644 (file)
@@ -115,7 +115,8 @@ AFSParseMountPointTarget( IN  UNICODE_STRING *Target,
 
     // If a colon is not found, it means there is no cell
 
-    if ( Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
+    if ( Cell->Length < Target->Length - sizeof( WCHAR) &&
+         Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
     {
 
         Cell->MaximumLength = Cell->Length;