From: Andrew Deason <adeason@sinenomine.net>
Date: Wed, 8 Jul 2015 18:20:13 +0000 (-0400)
Subject: afs: Use correct output buffer for FSCmd pioctl
X-Git-Tag: upstream/1.6.13^2~3
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=06a5b0bd91f3ec6efad8b21831b4d1ec1a0f5003;p=packages%2Fo%2Fopenafs.git

afs: Use correct output buffer for FSCmd pioctl

MRAFS added the FsCmd pioctl for passing messages to the fileserver;
a bug causes it to write into the wrong memory and potentially panic
clients.

FIXES 131896 (CVE-2015-3285)

(cherry picked from commit ef671f497e9161ec2759446d594789495d3346f1)

Change-Id: I1ee1fa7dff1d2594cfe9fab5ae0b7fc9245803de
---

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 89a56b976..fe76a711c 100644
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -5030,8 +5030,7 @@ DECL_PIOCTL(PFsCmd)
 	    if (tc) {
 		RX_AFS_GUNLOCK();
 		code =
-		    RXAFS_FsCmd(rxconn, Fid, Inputs,
-					(struct FsCmdOutputs *)aout);
+		    RXAFS_FsCmd(rxconn, Fid, Inputs, Outputs);
 		RX_AFS_GLOCK();
 	    } else
 		code = -1;