[PATCH xserver] dix: Prevent access to freed memory if a client kills itself.
Rami Ylimäki
rami.ylimaki at vincit.fi
Tue Mar 20 02:32:39 PDT 2012
The 'Dispatch' function accesses freed client structure if a client
happens to kill itself in a request. For example, I have a test client
that is used to check that it handles the XIO error correctly. The XIO
error is generated by requesting the client to kill itself with
XKillClient.
We don't have to care about LBX specific functionality anymore because
LBX support has been removed from the server.
Signed-off-by: Rami Ylimäki <rami.ylimaki at vincit.fi>
Reviewed-by: Erkki Seppälä <erkki.seppala at vincit.fi>
Reviewed-by: Jamey Sharp <jamey at minilop.net>
---
Just and older patch that is already reviewed but was never picked.
dix/dispatch.c | 24 ++++++++++--------------
1 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 44c2433..fced038 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3278,21 +3278,17 @@ ProcKillClient(ClientPtr client)
}
rc = dixLookupClient(&killclient, stuff->id, client, DixDestroyAccess);
- if (rc == Success) {
- CloseDownClient(killclient);
- /* if an LBX proxy gets killed, isItTimeToYield will be set */
- if (isItTimeToYield || (client == killclient))
- {
- /* force yield and return Success, so that Dispatch()
- * doesn't try to touch client
- */
- isItTimeToYield = TRUE;
- return Success;
- }
- return Success;
+ if (rc == Success)
+ {
+ if (client == killclient)
+ {
+ MarkClientException(client);
+ isItTimeToYield = TRUE;
+ }
+ else
+ CloseDownClient(killclient);
}
- else
- return rc;
+ return rc;
}
int
--
1.7.4.1
More information about the xorg-devel
mailing list