]> git.michaelhowe.org Git - packages/o/openafs.git/commitdiff
projects / packages / o / openafs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f504df3)
windows-winqual-20060206
authorJeffrey Altman <jaltman@secure-endpoints.com>
Mon, 6 Feb 2006 07:06:33 +0000 (07:06 +0000)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Mon, 6 Feb 2006 07:06:33 +0000 (07:06 +0000)
Fix two bugs reported via Windows Crash Reporting:

 * Freelance initialization is somehow broken allowing the number of
   locally defined mountpoints to become negative.  Due to the use of
   != instead of < in loops, it is possible to read/write unallocated
   memory.

 * GetTextualSid() was not properly handling a NULL output buffer
   pointer as an indication that the desired size should be returned.

src/WINNT/afsd/cm_freelance.c patch | blob | history
src/WINNT/afsd/cm_memmap.c patch | blob | history

diff --git a/src/WINNT/afsd/cm_freelance.c b/src/WINNT/afsd/cm_freelance.c
index a9308c8ce87963e395f4e8428b6376a061aabe7b..1621c7f6fa82c9cb5a22f97d361f045502c4c4c1 100644 (file)
--- a/src/WINNT/afsd/cm_freelance.c
+++ b/src/WINNT/afsd/cm_freelance.c
@@ -217,7 +217,7 @@ void cm_InitFakeRootDir() {
     /* Reserve 2 directory chunks for "." and ".." */
     curChunk += 2;
 
-    while (curDirEntry!=cm_noLocalMountPoints) {
+    while (curDirEntry<cm_noLocalMountPoints) {
         sizeOfCurEntry = cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0);
         if ((curChunk + sizeOfCurEntry >= CPP) ||
              (curDirEntryInPage + 1 >= CM_DIR_EPP)) {
@@ -282,7 +282,7 @@ void cm_InitFakeRootDir() {
     // 2. we have less than CM_DIR_EPP entries in page 0
     // 3. we're not out of chunks in page 0
 
-    while( (curDirEntry!=cm_noLocalMountPoints) && 
+    while( (curDirEntry<cm_noLocalMountPoints) && 
            (curDirEntryInPage < CM_DIR_EPP) &&
            (curChunk + cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0) <= CPP)) 
     {       
@@ -311,7 +311,7 @@ void cm_InitFakeRootDir() {
     curPage++;
 
     // ok, page 0's done. Move on to the next page.
-    while (curDirEntry!=cm_noLocalMountPoints) {
+    while (curDirEntry<cm_noLocalMountPoints) {
         // setup a new page
         curChunk = 1;                  // the zeroth chunk is reserved for page header
         curDirEntryInPage = 0; 
@@ -323,7 +323,7 @@ void cm_InitFakeRootDir() {
         fakePageHeader.tag = htons(1234);
 
         // while we're on the same page...
-        while ( (curDirEntry!=cm_noLocalMountPoints) &&
+        while ( (curDirEntry<cm_noLocalMountPoints) &&
                 (curDirEntryInPage < CM_DIR_EPP) &&
                 (curChunk + cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0) <= CPP))
         {
diff --git a/src/WINNT/afsd/cm_memmap.c b/src/WINNT/afsd/cm_memmap.c
index 63b2b8780a69a2ec0edfa2531b1a4f8076f709bd..ab1f74d4e917be2df54c3fd2abcafe0174d979ae 100644 (file)
--- a/src/WINNT/afsd/cm_memmap.c
+++ b/src/WINNT/afsd/cm_memmap.c
@@ -476,7 +476,7 @@ BOOL GetTextualSid( PSID pSid, PBYTE TextualSid, LPDWORD lpdwBufferLen )
     // Check input buffer length.
     // If too small, indicate the proper size and set the last error.
 
-    if (*lpdwBufferLen < dwSidSize)
+    if (TextualSid == NULL || *lpdwBufferLen < dwSidSize)
     {
         *lpdwBufferLen = dwSidSize;
         SetLastError(ERROR_INSUFFICIENT_BUFFER);