<p dir="ltr">It seems to me that the change to GetReqExtra should indeed be merged. I think now we're just debating what to do with any possibly-hazardous callers. Kees, perhaps you could split the patch?</p>
<p dir="ltr">Regarding the rest, I like Alan's comments, and would add:</p>
<p dir="ltr">On Jun 6, 2013 9:17 PM, "Alan Coopersmith" <<a href="mailto:alan.coopersmith@oracle.com">alan.coopersmith@oracle.com</a>> wrote:<br>
> On 06/ 6/13 10:40 AM, Kees Cook wrote:<br>
>> Two users of GetReqExtra pass arbitrarily sized allocations from the<br>
>> caller (ModMap and Host). Adjust _XGetRequest() (called by the GetReqExtra<br>
>> macro) to double-check the requested length and invalidate "req" when this<br>
>> happens. Users of GetReqExtra passing lengths greater than the Xlib buffer<br>
>> size (normally 16K) now check "req" and fail if something has gone wrong.<br>
><br>
> An alternative would be to convert them to use Data instead of GetReqExtra()<br>
> as the requests like PutImage do that truly send arbitrarily large data to<br>
> the server, but I'm not sure it's worth it in these cases.</p>
<p dir="ltr">Since the original bug report was about xhost failing on long hostnames, maybe it actually is worthwhile to make the Host routines use Data?</p>
<p dir="ltr">>> diff --git a/src/ModMap.c b/src/ModMap.c<br>
>> index 5c5b426..f66e559 100644<br>
>> --- a/src/ModMap.c<br>
>> +++ b/src/ModMap.c<br>
>> @@ -80,6 +80,10 @@ XSetModifierMapping(<br>
>><br>
>> LockDisplay(dpy);<br>
>> GetReqExtra(SetModifierMapping, mapSize, req);<br>
>> + if (!req) {<br>
>> + UnlockDisplay(dpy);<br>
>> + return 2;<br>
><br>
> Style nit, please return MappingFailed instead of the raw value. (I see<br>
> the comment above the function uses the raw values instead of the symbolic<br>
> names used in the man pages and server side code, which is unfortunate.)<br>
><br>
><br>
>> + }<br>
>><br>
>> req->numKeyPerModifier = modifier_map->max_keypermod;<br>
><br>
> Since the protocol defines that as a single byte, we should probably reject<br>
> at the top of the function any modifier_map->max_keypermod > 255, as otherwise<br>
> we send a packet to the X server with more data than expected, which it will<br>
> reject - and that limit would also keep the mapSize within the normal Xlib<br>
> buffer size. That doesn't need to be this patch though.</p>
<p dir="ltr">I like this plan. Is MappingFailed the right return value for an out-of-range value?</p>
<p dir="ltr">Jamey</p>