illumos gate

The recent fixes to the SMB ioctl interface seem to have resolved the issue of the copyin() that is directly part of smb_drv_ioctl().

However, this is not the only length field prefixing variable-length data in the interface. For example, smb_svcenum_t includes a member se_buflen that contains the length of the buffer for enumeration data. It also includes se_nlimit and friends which are used to control how much to write out. These are eventually used in smb_user_enum_private(), at the bottom of a long stack of calls.

smb_svcenum_t is not the only one of the union members that's variable-length, either! And any one of them that's unchecked will lead us to write over the end of the buffer. To truly fix this bug, all of these need to be carefully inspected and length checking against the original allocation length needs to be added at each stage. We cannot trust counts from userland like se_nlimit unless they are checked!