From 31d80e64683a6e7ce33ab714759e74a18454110d Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Tue, 29 Nov 2011 14:59:24 -0500
Subject: [PATCH] Windows: NPGetConnectionCommon buffer too small

If the specified buffer size is too small, say so.  Do not
attempt to copy data in that won't fit.  Do not walk beyond
the end of the allocated memory.

Change-Id: Id4a75273d8ec9e9cc8471a963bc32f6cad59163e
Reviewed-on: http://gerrit.openafs.org/6140
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
---
 src/WINNT/afsrdr/npdll/AFS_Npdll.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/WINNT/afsrdr/npdll/AFS_Npdll.c b/src/WINNT/afsrdr/npdll/AFS_Npdll.c
index 51fe57a04..e412d91ba 100644
--- a/src/WINNT/afsrdr/npdll/AFS_Npdll.c
+++ b/src/WINNT/afsrdr/npdll/AFS_Npdll.c
@@ -1253,17 +1253,21 @@ NPGetConnectionCommon( LPWSTR  lpLocalName,
                 HRESULT hr;
                 WCHAR  *pwch;
                 DWORD   dwCount = 0;
+                DWORD   dwRequiredSize;
 
 #ifdef AFS_DEBUG_TRACE
                 AFSDbgPrint( L"NPGetConnection drive substitution %s is AFS\n",
                              wchSubstName);
 #endif
 
+                dwRequiredSize = wcslen( wchSubstName) * sizeof( WCHAR) + sizeof( WCHAR);
+
                 if ( lpRemoteName == NULL ||
-                     dwPassedSize == 0)
+                     dwPassedSize == 0 ||
+                     dwRequiredSize > *lpBufferSize)
                 {
 
-                    *lpBufferSize = wcslen( wchSubstName) * sizeof( WCHAR) + sizeof( WCHAR);
+                    *lpBufferSize = dwRequiredSize;
 
                     try_return( dwStatus = WN_MORE_DATA);
 
@@ -1274,7 +1278,7 @@ NPGetConnectionCommon( LPWSTR  lpLocalName,
                 if ( SUCCEEDED(hr))
                 {
 
-                    for ( dwCount = 0, pwch = lpRemoteName; *pwch; pwch++ )
+                    for ( dwCount = 0, pwch = lpRemoteName; *pwch && pwch < lpRemoteName + (*lpBufferSize); pwch++ )
                     {
                         if ( *pwch == L'\\' )
                         {
-- 
2.39.5