From d4f1c135428ecedf6ce1e5ddd4e385560037f04c Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Thu, 18 Feb 2016 16:10:17 -0800
Subject: [PATCH] sys: IRP_MJ_QUERY_SECURITY

---
 src/sys/security.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/sys/security.c b/src/sys/security.c
index 550b9940..e287c5f3 100644
--- a/src/sys/security.c
+++ b/src/sys/security.c
@@ -112,6 +112,17 @@ NTSTATUS FspFsvolQuerySecurityComplete(
 
     if (0 != FspIopRequestContext(Request, RequestFileNode))
     {
+        /* check that the security descriptor we got back is valid */
+        if (Response->Buffer + Response->Rsp.QuerySecurity.SecurityDescriptor.Size >
+            (PUINT8)Response + Response->Size ||
+            !RtlValidRelativeSecurityDescriptor((PVOID)Response->Buffer,
+                Response->Rsp.QuerySecurity.SecurityDescriptor.Size, 0))
+        {
+            Irp->IoStatus.Information = 0;
+            Result = STATUS_INVALID_SECURITY_DESCR;
+            FSP_RETURN();
+        }
+
         FspIopRequestContext(Request, RequestSecurityChangeNumber) = (PVOID)FileNode->SecurityChangeNumber;
         FspIopRequestContext(Request, RequestFileNode) = 0;