From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Wed, 4 Jan 2012 06:10:37 +0000 (-0500)
Subject: Windows: AFSParseMountPointTarget buffer overrun
X-Git-Tag: upstream/1.8.0_pre1^2~2840
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=6185532db58692e58fca035a7b89767523d33225;p=packages%2Fo%2Fopenafs.git

Windows: AFSParseMountPointTarget buffer overrun

When parsing the AFS mount point string do not overrun
the buffer if the colon cell/volume separator is not
found.

Change-Id: Id7275cc8815223730f7c39bd11a6f495beb117c4
Reviewed-on: http://gerrit.openafs.org/6507
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
---

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp b/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp
index 235404381..29dc20f8c 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSFSControl.cpp
@@ -115,7 +115,8 @@ AFSParseMountPointTarget( IN  UNICODE_STRING *Target,
 
     // If a colon is not found, it means there is no cell
 
-    if ( Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
+    if ( Cell->Length < Target->Length - sizeof( WCHAR) &&
+         Cell->Buffer[ Cell->Length / sizeof( WCHAR)] == L':')
     {
 
         Cell->MaximumLength = Cell->Length;