From b624ecbfce529dd6710ee1ca3904e51efa14e5db Mon Sep 17 00:00:00 2001
From: David Fort <contact@hardening-consulting.com>
Date: Mon, 2 Oct 2017 20:57:27 +0200
Subject: [PATCH] Fix for #4161

The checks were wrong, fix them.
---
 channels/drive/client/drive_main.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c
index c056cc8..6f3d54b 100644
--- a/channels/drive/client/drive_main.c
+++ b/channels/drive/client/drive_main.c
@@ -167,16 +167,19 @@ static UINT drive_process_irp_create(DRIVE_DEVICE* drive, IRP* irp)
 	if (!drive || !irp || !irp->devman || !irp->Complete)
 		return ERROR_INVALID_PARAMETER;
 
-	Stream_Read_UINT32(irp->input, DesiredAccess);
-	Stream_Read_UINT64(irp->input, allocationSize);
-	if (Stream_GetRemainingLength(irp->input) < allocationSize)
+	if (Stream_GetRemainingLength(irp->input) < 6*4+8)
 		return ERROR_INVALID_DATA;
 
+	Stream_Read_UINT32(irp->input, DesiredAccess);
+	Stream_Read_UINT64(irp->input, allocationSize);
 	Stream_Read_UINT32(irp->input, FileAttributes);
 	Stream_Read_UINT32(irp->input, SharedAccess);
 	Stream_Read_UINT32(irp->input, CreateDisposition);
 	Stream_Read_UINT32(irp->input, CreateOptions);
 	Stream_Read_UINT32(irp->input, PathLength);
+	if (Stream_GetRemainingLength(irp->input) < PathLength)
+		return ERROR_INVALID_DATA;
+
 	path = (WCHAR*) Stream_Pointer(irp->input);
 	FileId = irp->devman->id_sequence++;
 	file = drive_file_new(drive->path, path, PathLength, FileId, DesiredAccess, CreateDisposition,
-- 
2.7.4