From 06a5b0bd91f3ec6efad8b21831b4d1ec1a0f5003 Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Wed, 8 Jul 2015 14:20:13 -0400 Subject: [PATCH] afs: Use correct output buffer for FSCmd pioctl MRAFS added the FsCmd pioctl for passing messages to the fileserver; a bug causes it to write into the wrong memory and potentially panic clients. FIXES 131896 (CVE-2015-3285) (cherry picked from commit ef671f497e9161ec2759446d594789495d3346f1) Change-Id: I1ee1fa7dff1d2594cfe9fab5ae0b7fc9245803de --- src/afs/afs_pioctl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c index 89a56b976..fe76a711c 100644 --- a/src/afs/afs_pioctl.c +++ b/src/afs/afs_pioctl.c @@ -5030,8 +5030,7 @@ DECL_PIOCTL(PFsCmd) if (tc) { RX_AFS_GUNLOCK(); code = - RXAFS_FsCmd(rxconn, Fid, Inputs, - (struct FsCmdOutputs *)aout); + RXAFS_FsCmd(rxconn, Fid, Inputs, Outputs); RX_AFS_GLOCK(); } else code = -1; -- 2.39.5