[PATCH] dix: Prevent access to freed memory if a client kills itself.

Rami Ylimäki rami.ylimaki at vincit.fi
Thu Sep 22 04:46:09 PDT 2011


The 'Dispatch' function accesses freed client structure if a client
happens to kill itself in a request. For example, I have a test client
that is used to check that it handles the XIO error correctly. The XIO
error is generated by requesting the client to kill itself with
XKillClient.

Signed-off-by: Rami Ylimäki <rami.ylimaki at vincit.fi>
Reviewed-by: Erkki Seppälä <erkki.seppala at vincit.fi>
---
 dix/dispatch.c |   32 +++++++++++++++++---------------
 1 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/dix/dispatch.c b/dix/dispatch.c
index 43cb4d1..cc5ee09 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3226,6 +3226,20 @@ ProcChangeAccessControl(ClientPtr client)
     return ChangeAccessControl(client, stuff->mode == EnableAccess);
 }
 
+/**
+ * Prevents a client from killing itself immediately.
+ */
+static void CloseDownClientByClient(ClientPtr client, ClientPtr killclient)
+{
+    if (client == killclient)
+    {
+        MarkClientException(client);
+        isItTimeToYield = TRUE;
+    }
+    else
+        CloseDownClient(killclient);
+}
+
 /*********************
  * CloseDownRetainedResources
  *
@@ -3263,21 +3277,9 @@ ProcKillClient(ClientPtr client)
     }
 
     rc = dixLookupClient(&killclient, stuff->id, client, DixDestroyAccess);
-    if (rc == Success) {
-	CloseDownClient(killclient);
-	/* if an LBX proxy gets killed, isItTimeToYield will be set */
-	if (isItTimeToYield || (client == killclient))
-	{
-	    /* force yield and return Success, so that Dispatch()
-	     * doesn't try to touch client
-	     */
-	    isItTimeToYield = TRUE;
-	    return Success;
-	}
-	return Success;
-    }
-    else
-	return rc;
+    if (rc == Success)
+	CloseDownClientByClient(client, killclient);
+    return rc;
 }
 
 int
-- 
1.7.1



More information about the xorg-devel mailing list