From: Michal Srb <[email protected]>
A client can send a big request where the 32B "length" field has value 0. When
the big request header is removed and the is length corrected, the value will
underflow to 0xFFFFFFFF.
Functions processing the request later will think that the client sent much
more data and may touch memory behind the receive buffer.
---
os/io.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/os/io.c b/os/io.c
index b0402912a..955c24924 100644
--- a/os/io.c
+++ b/os/io.c
@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
if (!gotnow)
AvailableInput = oc;
if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+ YieldControlDeath();
+ return -1;
+ }
+
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;
--
2.12.3
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel
