From 54b7292a4499106f956a4449c620466f64303498 Mon Sep 17 00:00:00 2001
From: Nickolai Zeldovich <kolya@mit.edu>
Date: Fri, 16 Mar 2001 03:35:07 +0000
Subject: [PATCH] do-bounds-checking-in-psetvolumestatus-20010315

Previously it was possible to overflow the variables used to construct a
SetVolumeStatus call
---
 src/afs/afs_pioctl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index d4d0037..2044147 100644
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1502,10 +1502,16 @@ static PSetVolumeStatus(avc, afun, areq, ain, aout, ainSize, aoutSize)
     cp = ain;
     bcopy(cp, (char *)&volstat, sizeof(AFSFetchVolumeStatus));
     cp += sizeof(AFSFetchVolumeStatus);
+    if (strlen(cp) >= sizeof(volName))
+	return E2BIG;
     strcpy(volName, cp);
     cp += strlen(volName)+1;
+    if (strlen(cp) >= sizeof(offLineMsg))
+	return E2BIG;
     strcpy(offLineMsg, cp);
     cp +=  strlen(offLineMsg)+1;
+    if (strlen(cp) >= sizeof(motd))
+	return E2BIG;
     strcpy(motd, cp);
     storeStat.Mask = 0;
     if (volstat.MinQuota != -1) {
-- 
1.9.4