[PATCH] libXfont: Avoid sending uninitialized padding data over the network
Peter Åstrand
astrand at cendio.se
Wed Feb 4 13:18:38 PST 2009
When libXfont is talking to a font server, it doesn't initialize padding
bytes.
Rgds,
---
Peter Åstrand ThinLinc Chief Developer
Cendio AB http://www.cendio.com
Wallenbergs gata 4
583 30 Linköping Phone: +46-13-21 46 00
-------------- next part --------------
From 3500556c3f162424898c06174caf02909d9b8e08 Mon Sep 17 00:00:00 2001
From: Peter Astrand <astrand at maggie.lkpg.cendio.se>
Date: Wed, 4 Feb 2009 22:09:25 +0100
Subject: [PATCH] Avoid sending uninitialized padding data over the network. Besides
cluttering Valgrind output, this might also be an information leak.
Signed-off-by: Peter Astrand <astrand at cendio.se>
---
src/fc/fserve.c | 9 +++++++++
src/fc/fsio.c | 2 ++
2 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index a1b1796..2ba08e8 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -1618,6 +1618,7 @@ fs_send_open_font(pointer client, FontPathElementPtr fpe, Mask flags,
buf[0] = (unsigned char) namelen;
memcpy(&buf[1], name, namelen);
openreq.reqType = FS_OpenBitmapFont;
+ openreq.pad = 0;
openreq.fid = fsd->fontid;
openreq.format_hint = fsd->format;
openreq.format_mask = fsd->fmask;
@@ -1630,6 +1631,7 @@ fs_send_open_font(pointer client, FontPathElementPtr fpe, Mask flags,
blockrec->sequenceNumber = conn->current_seq;
inforeq.reqType = FS_QueryXInfo;
+ inforeq.pad = 0;
inforeq.id = fsd->fontid;
inforeq.length = SIZEOF(fsQueryXInfoReq) >> 2;
@@ -1756,6 +1758,7 @@ fs_send_close_font(FontPathElementPtr fpe, Font id)
return Successful;
/* tell the font server to close the font */
req.reqType = FS_CloseFont;
+ req.pad = 0;
req.length = SIZEOF(fsCloseReq) >> 2;
req.id = id;
_fs_add_req_log(conn, FS_CloseFont);
@@ -2288,6 +2291,7 @@ fs_send_list_fonts(pointer client, FontPathElementPtr fpe, char *pattern,
/* send the request */
req.reqType = FS_ListFonts;
+ req.pad = 0;
req.maxNames = maxnames;
req.nbytes = patlen;
req.length = (SIZEOF(fsListFontsReq) + patlen + 3) >> 2;
@@ -2458,6 +2462,7 @@ fs_start_list_with_info(pointer client, FontPathElementPtr fpe,
/* send the request */
req.reqType = FS_ListFontsWithXInfo;
+ req.pad = 0;
req.maxNames = maxnames;
req.nbytes = len;
req.length = (SIZEOF(fsListFontsWithXInfoReq) + len + 3) >> 2;
@@ -2558,6 +2563,7 @@ fs_client_died(pointer client, FontPathElementPtr fpe)
{
if (cur->client == client) {
freeac.reqType = FS_FreeAC;
+ freeac.pad = 0;
freeac.id = cur->acid;
freeac.length = sizeof (fsFreeACReq) >> 2;
_fs_add_req_log(conn, FS_FreeAC);
@@ -2632,6 +2638,7 @@ _fs_client_access (FSFpePtr conn, pointer client, Bool sync)
{
fsFreeACReq freeac;
freeac.reqType = FS_FreeAC;
+ freeac.pad = 0;
freeac.id = cur->acid;
freeac.length = sizeof (fsFreeACReq) >> 2;
_fs_add_req_log(conn, FS_FreeAC);
@@ -2660,6 +2667,7 @@ _fs_client_access (FSFpePtr conn, pointer client, Bool sync)
if (conn->curacid != cur->acid)
{
setac.reqType = FS_SetAuthorization;
+ setac.pad = 0;
setac.length = sizeof (fsSetAuthorizationReq) >> 2;
setac.id = cur->acid;
_fs_add_req_log(conn, FS_SetAuthorization);
@@ -2962,6 +2970,7 @@ _fs_send_cat_sync (FSFpePtr conn)
lcreq.length = (SIZEOF(fsListCataloguesReq)) >> 2;
lcreq.maxNames = 0;
lcreq.nbytes = 0;
+ lcreq.pad2 = 0;
_fs_add_req_log(conn, FS_SetCatalogues);
if (_fs_write(conn, (char *) &lcreq, SIZEOF(fsListCataloguesReq)) != FSIO_READY)
return FSIO_ERROR;
diff --git a/src/fc/fsio.c b/src/fc/fsio.c
index ee93378..79dc0d6 100644
--- a/src/fc/fsio.c
+++ b/src/fc/fsio.c
@@ -394,6 +394,8 @@ _fs_do_write(FSFpePtr conn, char *data, long len, long size)
}
}
memcpy (conn->outBuf.buf + conn->outBuf.insert, data, len);
+ /* Clear pad data */
+ memset (conn->outBuf.buf + conn->outBuf.insert + len, 0, size - len);
conn->outBuf.insert += size;
_fs_mark_block (conn, FS_PENDING_WRITE);
return FSIO_READY;
--
1.5.2.2
More information about the xorg
mailing list