[PATCH] Fix handling of SendEvent requests which set the SendEvent bit before sending the event down the wire
Peter Hutterer
peter.hutterer at who-t.net
Tue Sep 13 13:57:50 PDT 2011
On Tue, Sep 13, 2011 at 07:31:12PM +0800, Sam Spilsbury wrote:
> Hi,
>
> I haven't contributed any patches to X11 before so excuse me if I'm
> terribly in the wrong.
>
> I noticed that the server is not removing the SendEvent (0x80) bit in
> ProcSendEvent in dix/events.c before doing range checks on the event
> type. This would cause these range checks to return an invalid BadValue
> error.
>
> I am not sure if this is *really* a bug in the server or a bug in
> extension libraries (like libXext) who set the SendEvent bit before
> converting the event to wire format, since ProcSendEvent sets the
> SendEvent bit anyways just before it writes the event to the client.
>
> This at least fixed a case for me where sending synthetic ShapeNotify
> events to clients resulted in a BadValue error.
>
> Anyways, patch attached,
>
> Thanks,
>
> Sam
> From 4ce5d1cab01b911ab9672dbd1e773faace62e243 Mon Sep 17 00:00:00 2001
> From: Sam Spilsbury <sam.spilsbury at canonical.com>
> Date: Tue, 13 Sep 2011 19:17:56 +0800
> Subject: [PATCH] Fix SendEvent requests coming from extensions which set 0x80
> being invalid.
>
> Some (broken?) extension libraries set the SendEvent "magic" bit in the
> event->type field before sending the request down the wire, so when we
> did a range check on event->type it is possible that it could have been
> invalid (this is at least the case for XShape). As such, we should remove 0x80
> from the bitfield before doing a range check on the event. This is safe
> since we will re-set 0x80 on the bitfield after checking the event
> before writing it to the client.
> ---
> dix/events.c | 11 +++++++++++
> 1 files changed, 11 insertions(+), 0 deletions(-)
>
> diff --git a/dix/events.c b/dix/events.c
> index 8a4c6b9..cf24869 100644
> --- a/dix/events.c
> +++ b/dix/events.c
> @@ -5241,6 +5241,17 @@ ProcSendEvent(ClientPtr client)
>
> REQUEST_SIZE_MATCH(xSendEventReq);
>
> + /* libXext and other extension libraries may set the bit indicating
> + * that this event came from a SendEvent request so remove it
> + * since otherwise the event type may fail the range checks
> + * and cause an invalid BadValue error to be returned.
> + *
> + * This is safe to do since we later add the SendEvent bit (0x80)
> + * back in once we send the event to the client */
> +
> + if (stuff->event.u.u.type & 0x80)
> + stuff->event.u.u.type &= ~(0x80);
> +
I wouldn't mind if you added a define for this to make the code a bit more
obvious. other than that, see jamey's comments. happy to merge that once
addressed.
Cheers,
Peter
> /* The client's event type must be a core event type or one defined by an
> extension. */
>
> --
> 1.7.5.4
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
More information about the xorg-devel
mailing list