From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Mon, 6 Feb 2006 07:07:08 +0000 (+0000)
Subject: STABLE14-windows-winqual-20060206
X-Git-Tag: openafs-stable-1_4_1-rc7~22
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=0b95cfab6f5f7aec931be1a0c146b05e40115d75;p=packages%2Fo%2Fopenafs.git

STABLE14-windows-winqual-20060206


Fix two bugs reported via Windows Crash Reporting:

 * Freelance initialization is somehow broken allowing the number of
   locally defined mountpoints to become negative.  Due to the use of
   != instead of < in loops, it is possible to read/write unallocated
   memory.

 * GetTextualSid() was not properly handling a NULL output buffer
   pointer as an indication that the desired size should be returned.


(cherry picked from commit 77de32ed745d912e35990c5602b4a69a1b654973)
---

diff --git a/src/WINNT/afsd/cm_freelance.c b/src/WINNT/afsd/cm_freelance.c
index e539a3517..7f4ffadae 100644
--- a/src/WINNT/afsd/cm_freelance.c
+++ b/src/WINNT/afsd/cm_freelance.c
@@ -217,7 +217,7 @@ void cm_InitFakeRootDir() {
     /* Reserve 2 directory chunks for "." and ".." */
     curChunk += 2;
 
-    while (curDirEntry!=cm_noLocalMountPoints) {
+    while (curDirEntry<cm_noLocalMountPoints) {
         sizeOfCurEntry = cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0);
         if ((curChunk + sizeOfCurEntry >= CPP) ||
              (curDirEntryInPage + 1 >= CM_DIR_EPP)) {
@@ -282,7 +282,7 @@ void cm_InitFakeRootDir() {
     // 2. we have less than CM_DIR_EPP entries in page 0
     // 3. we're not out of chunks in page 0
 
-    while( (curDirEntry!=cm_noLocalMountPoints) && 
+    while( (curDirEntry<cm_noLocalMountPoints) && 
            (curDirEntryInPage < CM_DIR_EPP) &&
            (curChunk + cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0) <= CPP)) 
     {       
@@ -311,7 +311,7 @@ void cm_InitFakeRootDir() {
     curPage++;
 
     // ok, page 0's done. Move on to the next page.
-    while (curDirEntry!=cm_noLocalMountPoints) {
+    while (curDirEntry<cm_noLocalMountPoints) {
         // setup a new page
         curChunk = 1;			// the zeroth chunk is reserved for page header
         curDirEntryInPage = 0; 
@@ -323,7 +323,7 @@ void cm_InitFakeRootDir() {
         fakePageHeader.tag = htons(1234);
 
         // while we're on the same page...
-        while ( (curDirEntry!=cm_noLocalMountPoints) &&
+        while ( (curDirEntry<cm_noLocalMountPoints) &&
                 (curDirEntryInPage < CM_DIR_EPP) &&
                 (curChunk + cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0) <= CPP))
         {
diff --git a/src/WINNT/afsd/cm_memmap.c b/src/WINNT/afsd/cm_memmap.c
index a9ad74fee..c7f8d7233 100644
--- a/src/WINNT/afsd/cm_memmap.c
+++ b/src/WINNT/afsd/cm_memmap.c
@@ -474,7 +474,7 @@ BOOL GetTextualSid( PSID pSid, PBYTE TextualSid, LPDWORD lpdwBufferLen )
     // Check input buffer length.
     // If too small, indicate the proper size and set the last error.
 
-    if (*lpdwBufferLen < dwSidSize)
+    if (TextualSid == NULL || *lpdwBufferLen < dwSidSize)
     {
         *lpdwBufferLen = dwSidSize;
         SetLastError(ERROR_INSUFFICIENT_BUFFER);