$OpenBSD: patch-src_afs_VNOPS_afs_vnop_lookup_c,v 1.1 2011/03/02 10:38:03 jasper Exp $

Security fix for OpenAFS Security Advisory 2009-001 (CVE-2009-1251).
http://www.openafs.org/security/OPENAFS-SA-2009-001.txt

--- src/afs/VNOPS/afs_vnop_lookup.c.orig	Tue Apr 15 14:29:56 2008
+++ src/afs/VNOPS/afs_vnop_lookup.c	Fri Feb  4 16:05:02 2011
@@ -538,8 +538,6 @@ afs_DoBulkStat(struct vcache *adp, long dirCookie, str
     int nskip;			/* # of slots in the LRU queue to skip */
     struct vcache *lruvcp;	/* vcache ptr of our goal pos in LRU queue */
     struct dcache *dcp;		/* chunk containing the dir block */
-    char *statMemp;		/* status memory block */
-    char *cbfMemp;		/* callback and fid memory block */
     afs_size_t temp;		/* temp for holding chunk length, &c. */
     struct AFSFid *fidsp;	/* file IDs were collecting */
     struct AFSCallBack *cbsp;	/* call back pointers */
@@ -597,13 +595,11 @@ afs_DoBulkStat(struct vcache *adp, long dirCookie, str
      * one for fids and callbacks, and one for stat info.  Well set
      * up our pointers to the memory from there, too.
      */
-    statMemp = osi_AllocLargeSpace(nentries * sizeof(AFSFetchStatus));
-    statsp = (struct AFSFetchStatus *)statMemp;
-    cbfMemp =
-	osi_AllocLargeSpace(nentries *
-			    (sizeof(AFSCallBack) + sizeof(AFSFid)));
-    fidsp = (AFSFid *) cbfMemp;
-    cbsp = (AFSCallBack *) (cbfMemp + nentries * sizeof(AFSFid));
+    statsp = (AFSFetchStatus *) 
+	    osi_Alloc(AFSCBMAX * sizeof(AFSFetchStatus));
+    fidsp = (AFSFid *) osi_AllocLargeSpace(nentries * sizeof(AFSFid));
+    cbsp = (AFSCallBack *) 
+	    osi_Alloc(AFSCBMAX * sizeof(AFSCallBack));
 
     /* next, we must iterate over the directory, starting from the specified
      * cookie offset (dirCookie), and counting out nentries file entries.
@@ -1091,8 +1087,9 @@ afs_DoBulkStat(struct vcache *adp, long dirCookie, str
 	code = 0;
     }
   done2:
-    osi_FreeLargeSpace(statMemp);
-    osi_FreeLargeSpace(cbfMemp);
+    osi_FreeLargeSpace((char *)fidsp);
+    osi_Free((char *)statsp, AFSCBMAX * sizeof(AFSFetchStatus));
+    osi_Free((char *)cbsp, AFSCBMAX * sizeof(AFSCallBack));
     return code;
 }
 
