From 29b651a1fea14e8bc87c317264af95843c3ca2e3 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Mon, 3 Oct 2011 15:23:51 +0000
Subject: [PATCH] [MSAFD] - Correctly handle an arbitrarily large sockaddr in
 WSPConnect. Fixes mIRC 7.1x crash on connect See issue #6005 for more
 details.

svn path=/trunk/; revision=53962
---
 reactos/dll/win32/msafd/misc/dllmain.c | 30 ++++++++++++++++++--------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/reactos/dll/win32/msafd/misc/dllmain.c b/reactos/dll/win32/msafd/misc/dllmain.c
index 037e0a3233b..0397fe1f691 100644
--- a/reactos/dll/win32/msafd/misc/dllmain.c
+++ b/reactos/dll/win32/msafd/misc/dllmain.c
@@ -1431,16 +1431,16 @@ WSPConnect(SOCKET Handle,
            LPINT lpErrno)
 {
     IO_STATUS_BLOCK         IOSB;
-    PAFD_CONNECT_INFO       ConnectInfo;
-    PSOCKET_INFORMATION     Socket = NULL;
+    PAFD_CONNECT_INFO       ConnectInfo = NULL;
+    PSOCKET_INFORMATION     Socket;
     NTSTATUS                Status;
     INT                     Errno;
-    UCHAR                   ConnectBuffer[0x22];
     ULONG                   ConnectDataLength;
     ULONG                   InConnectDataLength;
     INT                     BindAddressLength;
     PSOCKADDR               BindAddress;
     HANDLE                  SockEvent;
+    int                     SocketDataLength;
 
     Status = NtCreateEvent(&SockEvent,
                            GENERIC_READ | GENERIC_WRITE,
@@ -1506,16 +1506,26 @@ WSPConnect(SOCKET Handle,
             goto notify;
     }
 
-    /* Dynamic Structure...ugh */
-    ConnectInfo = (PAFD_CONNECT_INFO)ConnectBuffer;
+    /* Calculate the size of SocketAddress->sa_data */
+    SocketDataLength = SocketAddressLength - FIELD_OFFSET(struct sockaddr, sa_data);
+
+    /* Allocate a connection info buffer with SocketDataLength bytes of payload */
+    ConnectInfo = HeapAlloc(GetProcessHeap(), 0,
+                            FIELD_OFFSET(AFD_CONNECT_INFO,
+                                         RemoteAddress.Address[0].Address[SocketDataLength]));
+    if (!ConnectInfo)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto notify;
+    }
 
     /* Set up Address in TDI Format */
     ConnectInfo->RemoteAddress.TAAddressCount = 1;
-    ConnectInfo->RemoteAddress.Address[0].AddressLength = SocketAddressLength - sizeof(SocketAddress->sa_family);
+    ConnectInfo->RemoteAddress.Address[0].AddressLength = SocketDataLength;
     ConnectInfo->RemoteAddress.Address[0].AddressType = SocketAddress->sa_family;
-    RtlCopyMemory (ConnectInfo->RemoteAddress.Address[0].Address,
-                   SocketAddress->sa_data,
-                   SocketAddressLength - sizeof(SocketAddress->sa_family));
+    RtlCopyMemory(ConnectInfo->RemoteAddress.Address[0].Address,
+                  SocketAddress->sa_data,
+                  SocketDataLength);
 
     /*
     * Disable FD_WRITE and FD_CONNECT
@@ -1613,6 +1623,8 @@ WSPConnect(SOCKET Handle,
     AFD_DbgPrint(MID_TRACE,("Ending\n"));
 
 notify:
+    if (ConnectInfo) HeapFree(GetProcessHeap(), 0, ConnectInfo);
+
     /* Re-enable Async Event */
     SockReenableAsyncSelectEvent(Socket, FD_WRITE);