From 7cd283e55e3559a42f451cf5d5f5d9dd09d20f21 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 13 May 2003 04:55:13 +0000
Subject: [PATCH] pioctl-buffer-size-checking-20030512

FIXES 1413

buffers are signed, should be checked for negative in addition to smaller than
PIGGYSIZE; also, check out buffer size before calling pioctl handler.
---
 src/afs/afs_pioctl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 6963bb192..ae1f184fa 100644
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1066,7 +1066,11 @@ int afs_HandlePioctl(struct vnode *avp, afs_int32 acom,
 	return EINVAL;		/* out of range */
     }
     inSize = ablob->in_size;
-    if (inSize >= PIGGYSIZE) return E2BIG;
+    
+    /* Do all range checking before continuing */
+    if ((inSize >= PIGGYSIZE) || (inSize < 0)) return E2BIG;
+    if ((ablob->out_size >= PIGGYSIZE) || (ablob->out_size < 0)) return E2BIG;
+
     inData = osi_AllocLargeSpace(AFS_LRALLOCSIZ);
     if (inSize > 0) {
 	AFS_COPYIN(ablob->in, inData, inSize, code);
-- 
2.39.5