From b9e4c1bb4d463807ca42cea91593ec4eaa892e6e Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Thu, 31 Mar 2005 07:05:47 +0000
Subject: [PATCH] STABLE14-windows-afsd-minor-20050330

Add bounds checking to the comparison of fid->vnode and cm_localMountPoints
when Freelance mode is used.

Fix typo in DJGPP section of smb.c

Use rx_connection * instead of rx_call * in previous fix to cm_dcache.c


(cherry picked from commit 0a9609d8eb599dfe11ff04d8752e15b58c3ef89d)
---
 src/WINNT/afsd/cm_dcache.c   | 27 +++++++++++++++------------
 src/WINNT/afsd/cm_scache.c   |  7 +++++--
 src/WINNT/afsd/cm_vnodeops.c |  2 +-
 src/WINNT/afsd/smb.c         |  2 +-
 4 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/src/WINNT/afsd/cm_dcache.c b/src/WINNT/afsd/cm_dcache.c
index de221e4628..8d347f6963 100644
--- a/src/WINNT/afsd/cm_dcache.c
+++ b/src/WINNT/afsd/cm_dcache.c
@@ -55,7 +55,8 @@ long cm_BufWrite(void *vfidp, osi_hyper_t *offsetp, long length, long flags,
     osi_hyper_t thyper;
     AFSVolSync volSync;
     AFSFid tfid;
-    struct rx_call *oldCallp, *callp;
+    struct rx_call *callp;
+    struct rx_connection *rxconnp;
     osi_queueData_t *qdp;
     cm_buf_t *bufp;
     long wbytes;
@@ -129,9 +130,9 @@ long cm_BufWrite(void *vfidp, osi_hyper_t *offsetp, long length, long flags,
         if (code) 
             continue;
 		
-        oldCallp = cm_GetRxConn(connp);
-        callp = rx_NewCall(oldCallp);
-        rx_PutConnection(oldCallp);
+        rxconnp = cm_GetRxConn(connp);
+        callp = rx_NewCall(rxconnp);
+        rx_PutConnection(rxconnp);
 
         osi_Log3(afsd_logp, "CALL StoreData scp 0x%x, off 0x%x, size 0x%x",
                  (long) scp, biod.offset.LowPart, nbytes);
@@ -238,7 +239,8 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
     long code;
     long truncPos;
     cm_conn_t *connp;
-    struct rx_call *oldCallp, *callp;
+    struct rx_call *callp;
+    struct rx_connection *rxconnp;
 
     /* Serialize StoreData RPC's; for rationale see cm_scache.c */
     (void) cm_SyncOp(scp, NULL, userp, reqp, 0,
@@ -266,9 +268,9 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
         if (code) 
             continue;
 		
-        oldCallp = cm_GetRxConn(connp);
-        callp = rx_NewCall(oldCallp);
-        rx_PutConnection(oldCallp);
+        rxconnp = cm_GetRxConn(connp);
+        callp = rx_NewCall(rxconnp);
+        rx_PutConnection(rxconnp);
 
         code = StartRXAFS_StoreData(callp, &tfid, &inStatus,
                                     0, 0, truncPos);
@@ -1120,7 +1122,8 @@ long cm_GetBuffer(cm_scache_t *scp, cm_buf_t *bufp, int *cpffp, cm_user_t *up,
     cm_buf_t *tbufp;		/* buf we're filling */
     osi_queueData_t *qdp;		/* q element we're scanning */
     AFSFid tfid;
-    struct rx_call *oldCallp, *callp;
+    struct rx_call *callp;
+    struct rx_connection *rxconnp;
     cm_bulkIO_t biod;		/* bulk IO descriptor */
     cm_conn_t *connp;
     int getroot;
@@ -1252,9 +1255,9 @@ long cm_GetBuffer(cm_scache_t *scp, cm_buf_t *bufp, int *cpffp, cm_user_t *up,
         if (code) 
             continue;
 	
-        oldCallp = cm_GetRxConn(connp);
-        callp = rx_NewCall(oldCallp);
-        rx_PutConnection(oldCallp);
+        rxconnp = cm_GetRxConn(connp);
+        callp = rx_NewCall(rxconnp);
+        rx_PutConnection(rxconnp);
 
         osi_Log3(afsd_logp, "CALL FetchData vp %x, off 0x%x, size 0x%x",
                   (long) scp, biod.offset.LowPart, biod.length);
diff --git a/src/WINNT/afsd/cm_scache.c b/src/WINNT/afsd/cm_scache.c
index 81d9d2230c..304edbc0fc 100644
--- a/src/WINNT/afsd/cm_scache.c
+++ b/src/WINNT/afsd/cm_scache.c
@@ -412,7 +412,7 @@ long cm_GetSCache(cm_fid_t *fidp, cm_scache_t **outScpp, cm_user_t *userp,
 	  
     if (cm_freelanceEnabled && special) {
         osi_Log0(afsd_logp,"cm_getSCache Freelance and special");
-        if (fidp->vnode > 1) {
+        if (fidp->vnode > 1 && fidp->vnode <= cm_localMountPoints + 2) {
 	    lock_ObtainMutex(&cm_Freelance_Lock);
             mp =(cm_localMountPoints+fidp->vnode-2)->mountPointStringp;
             lock_ReleaseMutex(&cm_Freelance_Lock);
@@ -432,7 +432,10 @@ long cm_GetSCache(cm_fid_t *fidp, cm_scache_t **outScpp, cm_user_t *userp,
         cm_data.hashTablep[hash]=scp;
         scp->flags |= CM_SCACHEFLAG_INHASH;
         scp->refCount = 1;
-        scp->fileType = (cm_localMountPoints+fidp->vnode-2)->fileType;
+        if (fidp->vnode > 1 && fidp->vnode <= cm_localMountPoints + 2)
+            scp->fileType = (cm_localMountPoints+fidp->vnode-2)->fileType;
+        else 
+            scp->fileType = CM_SCACHETYPE_INVALID;
 
         lock_ObtainMutex(&cm_Freelance_Lock);
         scp->length.LowPart = strlen(mp)+4;
diff --git a/src/WINNT/afsd/cm_vnodeops.c b/src/WINNT/afsd/cm_vnodeops.c
index 58eaa5730c..21747e98a3 100644
--- a/src/WINNT/afsd/cm_vnodeops.c
+++ b/src/WINNT/afsd/cm_vnodeops.c
@@ -595,7 +595,7 @@ long cm_ApplyDir(cm_scache_t *scp, cm_DirFuncp_t funcp, void *parmp,
                 break;
             }
         }	/* if (wrong buffer) ... */
-                
+           
         /* now we have the buffer containing the entry we're interested
          * in; copy it out if it represents a non-deleted entry.
          */
diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index ebb3b088c7..5ba1b800f0 100644
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -7272,7 +7272,7 @@ void smb_Server(VOID *parmp)
         "bufp=0x%x\n",
         bufp->dos_pkt / 16, bufp);*/
         fflush(stderr);
-        dosmemget(bufp->dos_pkt, ncbp-d>ncb_length, bufp->data);
+        dosmemget(bufp->dos_pkt, ncbp->ncb_length, bufp->data);
 #endif /* DJGPP */
         smbp = (smb_t *)bufp->data;
         outbufp->flags = 0;