From 933db7194dc90cd4e6ffe38caee9921311404bb2 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Wed, 6 Aug 2008 06:13:09 +0000
Subject: [PATCH] DEVEL15-windows-afssw-20080806

LICENSE MIT

prevent buffer underrun and overrun errors


(cherry picked from commit d44f1a17e4e1831ef39b8f5767a2ca7aad870fb2)
---
 src/WINNT/afsreg/afssw.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/WINNT/afsreg/afssw.c b/src/WINNT/afsreg/afssw.c
index 0fee7eba3..2755349f8 100644
--- a/src/WINNT/afsreg/afssw.c
+++ b/src/WINNT/afsreg/afssw.c
@@ -12,6 +12,7 @@
 
 #include <windows.h>
 #include <shlobj.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
@@ -87,16 +88,16 @@ afssw_GetClientCellServDBDir(char **bufPP)   /* [out] data buffer */
     if (cbPath) {
         cbPath += 2;
         path = malloc(cbPath);
-    }
-    if (path) {
-        GetEnvironmentVariable("AFSCONF", path, cbPath);
-        tlen = (int)strlen(path);
-        if (path[tlen-1] != '\\') {
-            strncat(path, "\\", cbPath);
-            path[cbPath-1] = '\0';
+        if (path) {
+            GetEnvironmentVariable("AFSCONF", path, cbPath);
+            tlen = (int)strlen(path);
+            if (path[tlen-1] != '\\') {
+                strncat(path, "\\", cbPath);
+                path[cbPath-1] = '\0';
+            }
+            *bufPP = path;
+            return 0;
         }
-        *bufPP = path;
-        return 0;
     }
 
     if (!StringDataRead(AFSREG_CLT_OPENAFS_KEY,
@@ -104,8 +105,12 @@ afssw_GetClientCellServDBDir(char **bufPP)   /* [out] data buffer */
                          &path)) {
         tlen = (int)strlen(path);
         if (path[tlen-1] != '\\') {
-            strncat(path, "\\", cbPath);
-            path[cbPath-1] = '\0';
+            char * newPath = malloc(tlen+2);
+            if (newPath) {
+                snprintf(newPath,tlen+2,"%s\\",path);
+                free(path);
+                path = newPath;
+            }
         }
         *bufPP = path;
         return 0;
@@ -115,6 +120,7 @@ afssw_GetClientCellServDBDir(char **bufPP)   /* [out] data buffer */
      * Try to find the All Users\Application Data\OpenAFS\Client directory.
      * If it exists and it contains a CellServDB file, return that. 
      * Otherwise, return the Install Directory for backward compatibility.
+     * SHGetFolderPath requires wdir to be of length MAX_PATH which is 260.
      */
     if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_COMMON_APPDATA, NULL, 
                                     SHGFP_TYPE_CURRENT, wdir)))
-- 
2.39.5