[PATCH] os: Make sure big requests have sufficient length.
msrb at suse.com
msrb at suse.com
Fri Jul 7 15:04:03 UTC 2017
From: Michal Srb <msrb at suse.com>
A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the is length corrected, the value will underflow to 0xFFFFFFFF.
Functions processing the request later will think that the client sent much more data and may touch memory behind the receive buffer.
---
os/io.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/os/io.c b/os/io.c
index b0402912a..955c24924 100644
--- a/os/io.c
+++ b/os/io.c
@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
if (!gotnow)
AvailableInput = oc;
if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+ YieldControlDeath();
+ return -1;
+ }
+
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;
--
2.12.3
More information about the xorg-devel
mailing list