From 77de32ed745d912e35990c5602b4a69a1b654973 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Mon, 6 Feb 2006 07:06:33 +0000
Subject: [PATCH] windows-winqual-20060206

Fix two bugs reported via Windows Crash Reporting:

 * Freelance initialization is somehow broken allowing the number of
   locally defined mountpoints to become negative.  Due to the use of
   != instead of < in loops, it is possible to read/write unallocated
   memory.

 * GetTextualSid() was not properly handling a NULL output buffer
   pointer as an indication that the desired size should be returned.
---
 src/WINNT/afsd/cm_freelance.c | 8 ++++----
 src/WINNT/afsd/cm_memmap.c    | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/WINNT/afsd/cm_freelance.c b/src/WINNT/afsd/cm_freelance.c
index a9308c8ce..1621c7f6f 100644
--- a/src/WINNT/afsd/cm_freelance.c
+++ b/src/WINNT/afsd/cm_freelance.c
@@ -217,7 +217,7 @@ void cm_InitFakeRootDir() {
     /* Reserve 2 directory chunks for "." and ".." */
     curChunk += 2;
 
-    while (curDirEntry!=cm_noLocalMountPoints) {
+    while (curDirEntry<cm_noLocalMountPoints) {
         sizeOfCurEntry = cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0);
         if ((curChunk + sizeOfCurEntry >= CPP) ||
              (curDirEntryInPage + 1 >= CM_DIR_EPP)) {
@@ -282,7 +282,7 @@ void cm_InitFakeRootDir() {
     // 2. we have less than CM_DIR_EPP entries in page 0
     // 3. we're not out of chunks in page 0
 
-    while( (curDirEntry!=cm_noLocalMountPoints) && 
+    while( (curDirEntry<cm_noLocalMountPoints) && 
            (curDirEntryInPage < CM_DIR_EPP) &&
            (curChunk + cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0) <= CPP)) 
     {       
@@ -311,7 +311,7 @@ void cm_InitFakeRootDir() {
     curPage++;
 
     // ok, page 0's done. Move on to the next page.
-    while (curDirEntry!=cm_noLocalMountPoints) {
+    while (curDirEntry<cm_noLocalMountPoints) {
         // setup a new page
         curChunk = 1;			// the zeroth chunk is reserved for page header
         curDirEntryInPage = 0; 
@@ -323,7 +323,7 @@ void cm_InitFakeRootDir() {
         fakePageHeader.tag = htons(1234);
 
         // while we're on the same page...
-        while ( (curDirEntry!=cm_noLocalMountPoints) &&
+        while ( (curDirEntry<cm_noLocalMountPoints) &&
                 (curDirEntryInPage < CM_DIR_EPP) &&
                 (curChunk + cm_NameEntries((cm_localMountPoints+curDirEntry)->namep, 0) <= CPP))
         {
diff --git a/src/WINNT/afsd/cm_memmap.c b/src/WINNT/afsd/cm_memmap.c
index 63b2b8780..ab1f74d4e 100644
--- a/src/WINNT/afsd/cm_memmap.c
+++ b/src/WINNT/afsd/cm_memmap.c
@@ -476,7 +476,7 @@ BOOL GetTextualSid( PSID pSid, PBYTE TextualSid, LPDWORD lpdwBufferLen )
     // Check input buffer length.
     // If too small, indicate the proper size and set the last error.
 
-    if (*lpdwBufferLen < dwSidSize)
+    if (TextualSid == NULL || *lpdwBufferLen < dwSidSize)
     {
         *lpdwBufferLen = dwSidSize;
         SetLastError(ERROR_INSUFFICIENT_BUFFER);
-- 
2.39.5