[PATCH] Fix a crash with XDMCP error handler
patrick keshishian
pkeshish at gmail.com
Wed Jan 21 10:32:26 PST 2015
Hi,
On 1/21/15, Olivier Fourdan <ofourdan at redhat.com> wrote:
> The XdmpcpFatal() error handler uses a string format that the
> vpnprintf() routine does not understand, as a result any XDMCP
> fatal error leads to a server crash:
>
> (EE) (EE) BUG: triggered 'if (f[f_idx])'
> (EE) BUG: log.c:474 in vpnprintf()
> (EE) Unsupported printf directive '*'
>
> Rework the XdmpcpFatal() code to use a simpler string format
> instead.
>
> Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
> ---
> os/xdmcp.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/os/xdmcp.c b/os/xdmcp.c
> index b6e97c9..374ac08 100644
> --- a/os/xdmcp.c
> +++ b/os/xdmcp.c
> @@ -1409,8 +1409,11 @@ recv_alive_msg(unsigned length)
> static void
> XdmcpFatal(const char *type, ARRAY8Ptr status)
> {
> - FatalError("XDMCP fatal error: %s %*.*s\n", type,
> - status->length, status->length, status->data);
> + char error_message[256]; /* status length is CARD8 */
Excuse my naive observation; I'm possibly missing something.
The comment states "status length is CARD8" but the header
file (If I'm looking at the correct one) states it is CARD16:
http://cgit.freedesktop.org/xorg/lib/libXdmcp/tree/include/X11/Xdmcp.h#n80
Possibly a mistake/oversight in type definition as ARRAY{16,32}
do have lengths of type CARD8.
--patrick
> +
> + memcpy(error_message, status->data, status->length);
> + error_message[status->length] = '\0';
> + FatalError("XDMCP fatal error: %s. %s\n", type, error_message);
> }
>
> static void
> --
> 2.1.0
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
More information about the xorg-devel
mailing list