From fd27453ef47a7c88f343101db8ca89650eba4f92 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Thu, 15 May 2003 16:12:15 +0000
Subject: [PATCH] STABLE12-pioctl-buffer-size-checking-20030512

FIXES 1413

buffers are signed, should be checked for negative in addition to smaller than
PIGGYSIZE; also, check out buffer size before calling pioctl handler.


(cherry picked from commit 7cd283e55e3559a42f451cf5d5f5d9dd09d20f21)
---
 src/afs/afs_pioctl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 1b8912454..bbe233f0a 100644
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1084,7 +1084,11 @@ afs_HandlePioctl(avc, acom, ablob, afollow, acred)
 	return EINVAL;	/* out of range */
     }
     inSize = ablob->in_size;
-    if (inSize >= PIGGYSIZE) return E2BIG;
+    
+    /* Do all range checking before continuing */
+    if ((inSize >= PIGGYSIZE) || (inSize < 0)) return E2BIG;
+    if ((ablob->out_size >= PIGGYSIZE) || (ablob->out_size < 0)) return E2BIG;
+
     inData = osi_AllocLargeSpace(AFS_LRALLOCSIZ);
     if (inSize > 0) {
       AFS_COPYIN(ablob->in, inData, inSize, code);
-- 
2.39.5