Avoid buffer overflow (bug #4693).

svn path=/trunk/; revision=44449

diff --git a/reactos/dll/win32/msafd/misc/dllmain.c b/reactos/dll/win32/msafd/misc/dllmain.c
index 9c10829..3638795 100644 (file)
--- a/reactos/dll/win32/msafd/misc/dllmain.c
+++ b/reactos/dll/win32/msafd/misc/dllmain.c
@@ -560,25 +560,31 @@ WSPBind(SOCKET Handle,
     PAFD_BIND_DATA          BindData;
     PSOCKET_INFORMATION     Socket = NULL;
     NTSTATUS                Status;
-    UCHAR                   BindBuffer[0x1A];
     SOCKADDR_INFO           SocketInfo;
     HANDLE                  SockEvent;
 
+    /* See below */
+    BindData = HeapAlloc(GlobalHeap, 0, 0xA + SocketAddressLength);
+    if (!BindData)
+    {
+        return MsafdReturnWithErrno(STATUS_INSUFFICIENT_RESOURCES, lpErrno, 0, NULL);
+    }
+
     Status = NtCreateEvent(&SockEvent,
                            GENERIC_READ | GENERIC_WRITE,
                            NULL,
                            1,
                            FALSE);
 
-    if( !NT_SUCCESS(Status) )
-        return -1;
+    if (!NT_SUCCESS(Status))
+    {
+        HeapFree(GlobalHeap, 0, BindData);
+        return SOCKET_ERROR;
+    }
 
     /* Get the Socket Structure associate to this Socket*/
     Socket = GetSocketStructure(Handle);
 
-    /* Dynamic Structure...ugh */
-    BindData = (PAFD_BIND_DATA)BindBuffer;
-
     /* Set up Address in TDI Format */
     BindData->Address.TAAddressCount = 1;
     BindData->Address.Address[0].AddressLength = SocketAddressLength - sizeof(SocketAddress->sa_family);
@@ -633,9 +639,9 @@ WSPBind(SOCKET Handle,
     Socket->SharedData.State = SocketBound;
     Socket->TdiAddressHandle = (HANDLE)IOSB.Information;
 
-    NtClose( SockEvent );
-
-    return MsafdReturnWithErrno ( Status, lpErrno, 0, NULL );
+    NtClose(SockEvent);
+    HeapFree(GlobalHeap, 0, BindData);
+    return MsafdReturnWithErrno(Status, lpErrno, 0, NULL);
 }
 
 int