From: Andrew Deason <adeason@sinenomine.net>
Date: Wed, 8 Jul 2015 18:20:13 +0000 (-0400)
Subject: afs: Use correct output buffer for FSCmd pioctl
X-Git-Tag: upstream/1.8.0_pre1^2~302
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=ef671f497e9161ec2759446d594789495d3346f1;p=packages%2Fo%2Fopenafs.git

afs: Use correct output buffer for FSCmd pioctl

MRAFS added the FsCmd pioctl for passing messages to the fileserver;
a bug causes it to write into the wrong memory and potentially panic
clients.

FIXES 131896 (CVE-2015-3285)

Change-Id: Ic3a81fe06edc886f24bbc0537ea53e994b086c9e
---

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 7cdc075ce..917296aba 100644
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -5065,8 +5065,7 @@ DECL_PIOCTL(PFsCmd)
 	    if (tc) {
 		RX_AFS_GUNLOCK();
 		code =
-		    RXAFS_FsCmd(rxconn, Fid, Inputs,
-					(struct FsCmdOutputs *)aout);
+		    RXAFS_FsCmd(rxconn, Fid, Inputs, Outputs);
 		RX_AFS_GLOCK();
 	    } else
 		code = -1;