dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit e0e1164462
)
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
c2515e9dfd
commit
2883994f9f
|
@ -76,7 +76,8 @@ SOFTWARE.
|
|||
|
||||
#define REQUEST_FIXED_SIZE(req, n)\
|
||||
if (((sizeof(req) >> 2) > client->req_len) || \
|
||||
(((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
|
||||
((n >> 2) >= client->req_len) || \
|
||||
((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
|
||||
return(BadLength)
|
||||
|
||||
#define LEGAL_NEW_RESOURCE(id,client)\
|
||||
|
|
Loading…
Reference in New Issue