From 6185532db58692e58fca035a7b89767523d33225 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Wed, 4 Jan 2012 01:10:37 -0500
Subject: [PATCH] Windows: AFSParseMountPointTarget buffer overrun

When parsing the AFS mount point string do not overrun
the buffer if the colon cell/volume separator is not
found.

Change-Id: Id7275cc8815223730f7c39bd11a6f495beb117c4
Reviewed-on: http://gerrit.openafs.org/6507
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
---
 src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp b/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp
index 2354043..29dc20f 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp
@@ -115,7 +115,8 @@ AFSParseMountPointTarget( IN  UNICODE_STRING *Target,
 
     // If a colon is not found, it means there is no cell
 
-    if ( Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
+    if ( Cell->Length < Target->Length - sizeof( WCHAR) &&
+         Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
     {
 
         Cell->MaximumLength = Cell->Length;
-- 
1.9.4