$OpenBSD: patch-src_sys_rmtsysc_c,v 1.1 2011/03/02 10:38:04 jasper Exp $

Security fix for OpenAFS Security Advisory 2009-001 (CVE-2009-1251).
http://www.openafs.org/security/OPENAFS-SA-2009-001.txt

--- src/sys/rmtsysc.c.orig	Wed Nov 28 06:08:11 2007
+++ src/sys/rmtsysc.c	Fri Feb  4 16:05:02 2011
@@ -241,8 +241,14 @@ pioctl(char *path, afs_int32 cmd, struct ViceIoctl *da
     InData.rmtbulk_len = data->in_size;
     InData.rmtbulk_val = inbuffer;
     inparam_conversion(cmd, InData.rmtbulk_val, 0);
-    OutData.rmtbulk_len = data->out_size;
-    OutData.rmtbulk_val = data->out;
+
+    OutData.rmtbulk_len = MAXBUFFERLEN * sizeof(*OutData.rmtbulk_val);
+    OutData.rmtbulk_val = malloc(OutData.rmtbulk_len); 
+    if (!OutData.rmtbulk_val) {
+	free(inbuffer);
+	return -1;
+    }
+
     /* We always need to pass absolute pathnames to the remote pioctl since we
      * lose the current directory value when doing an rpc call. Below we
      * prepend the current absolute path directory, if the name is relative */
@@ -279,8 +285,15 @@ pioctl(char *path, afs_int32 cmd, struct ViceIoctl *da
     if (!errorcode) {
 	/* Do the conversions back to the host order; store the results back
 	 * on the same buffer */
-	outparam_conversion(cmd, OutData.rmtbulk_val, 1);
+	if (data->out_size < OutData.rmtbulk_len) {
+	    errno = EINVAL;
+	    errorcode = -1;
+	} else {
+	    memcpy(data->out, OutData.rmtbulk_val, data->out_size);
+	    outparam_conversion(cmd, data->out, 1);
+	}
     }
+    free(OutData.rmtbulk_val);
     free(inbuffer);
     return errorcode;
 }
