[PATCH app/xinit] Buffer overflow with many arguments.

Walter Harms wharms at bfs.de
Fri Feb 8 08:23:23 UTC 2019



> Tobias Stoeckmann <tobias at stoeckmann.org> hat am 7. Februar 2019 um 20:54
> geschrieben:
> 
> 
> Command line arguments are copied into clientargv and serverargv without
> verifying that enough space is available. A high amount of arguments can
> therefore trigger a buffer overflow like this:
> 
> $ xinit $(seq 1 500)
> 
> Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>


works for me

Reviewed-by: Walter Harms wharms at bfs,de

> ---
> Integrated calculation as suggested by Walter with style according to
> rest of the code.
> ---
>  xinit.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/xinit.c b/xinit.c
> index f826b7a..06c92b2 100644
> --- a/xinit.c
> +++ b/xinit.c
> @@ -151,7 +151,6 @@ main(int argc, char *argv[])
>      register char **ptr;
>      pid_t pid;
>      int client_given = 0, server_given = 0;
> -    int client_args_given = 0, server_args_given = 0;
>      int start_of_client_args, start_of_server_args;
>      struct sigaction sa, si;
>  #ifdef __APPLE__
> @@ -174,7 +173,8 @@ main(int argc, char *argv[])
>      }
>      start_of_client_args = (cptr - client);
>      while (argc && strcmp(*argv, "--")) {
> -        client_args_given++;
> +        if (cptr > clientargv + sizeof(clientargv) / sizeof(*clientargv) - 2)
> +            Fatalx("too many client arguments");
>          *cptr++ = *argv++;
>          argc--;
>      }
> @@ -202,7 +202,8 @@ main(int argc, char *argv[])
>  
>      start_of_server_args = (sptr - server);
>      while (--argc >= 0) {
> -        server_args_given++;
> +        if (sptr > serverargv + sizeof(serverargv) / sizeof(*serverargv) - 2)
> +            Fatalx("too many server arguments");
>          *sptr++ = *argv++;
>      }
>      *sptr = NULL;
> -- 
> 2.20.1
> 
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: https://lists.x.org/mailman/listinfo/xorg-devel


More information about the xorg-devel mailing list