dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
GetHosts saves the pointer to allocated memory in *data, and then wants to bounds-check writes to that region, but was mistakenly using a bare 'data' instead of '*data'. Also, data is declared as void **, so we need a cast to turn it into a byte pointer so we can actually do pointer comparisons. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
parent
9802a0162f
commit
1559a94395
|
@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
|
|||
}
|
||||
for (host = validhosts; host; host = host->next) {
|
||||
len = host->len;
|
||||
if ((ptr + sizeof(xHostEntry) + len) > (data + n))
|
||||
if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
|
||||
break;
|
||||
((xHostEntry *) ptr)->family = host->family;
|
||||
((xHostEntry *) ptr)->length = len;
|
||||
|
|
Loading…
Reference in New Issue