CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption.
This commit is contained in:
parent
702e709973
commit
8ffaf61370
|
@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
|
||||||
register char n;
|
register char n;
|
||||||
CARD32 *values;
|
CARD32 *values;
|
||||||
unsigned long nvalues;
|
unsigned long nvalues;
|
||||||
|
int values_offset;
|
||||||
|
|
||||||
swaps(&stuff->length, n);
|
swaps(&stuff->length, n);
|
||||||
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
|
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
|
||||||
swaps(&stuff->nbytesAuthProto, n);
|
swaps(&stuff->nbytesAuthProto, n);
|
||||||
swaps(&stuff->nbytesAuthData, n);
|
swaps(&stuff->nbytesAuthData, n);
|
||||||
swapl(&stuff->valueMask, n);
|
swapl(&stuff->valueMask, n);
|
||||||
values = (CARD32 *)(&stuff[1]) +
|
values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
|
||||||
((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
|
((stuff->nbytesAuthData + (unsigned)3) >> 2);
|
||||||
((stuff->nbytesAuthData + (unsigned)3) >> 2);
|
if (values_offset >
|
||||||
|
stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
|
||||||
|
return BadLength;
|
||||||
|
values = (CARD32 *)(&stuff[1]) + values_offset;
|
||||||
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
|
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
|
||||||
SwapLongs(values, nvalues);
|
SwapLongs(values, nvalues);
|
||||||
return ProcSecurityGenerateAuthorization(client);
|
return ProcSecurityGenerateAuthorization(client);
|
||||||
|
|
|
@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
|
||||||
} /* SProcRecordQueryVersion */
|
} /* SProcRecordQueryVersion */
|
||||||
|
|
||||||
|
|
||||||
static void
|
static int
|
||||||
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
||||||
{
|
{
|
||||||
register char n;
|
register char n;
|
||||||
|
@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
||||||
swapl(&stuff->nClients, n);
|
swapl(&stuff->nClients, n);
|
||||||
swapl(&stuff->nRanges, n);
|
swapl(&stuff->nRanges, n);
|
||||||
pClientID = (XID *)&stuff[1];
|
pClientID = (XID *)&stuff[1];
|
||||||
|
if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
|
||||||
|
return BadLength;
|
||||||
for (i = 0; i < stuff->nClients; i++, pClientID++)
|
for (i = 0; i < stuff->nClients; i++, pClientID++)
|
||||||
{
|
{
|
||||||
swapl(pClientID, n);
|
swapl(pClientID, n);
|
||||||
}
|
}
|
||||||
|
if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
|
||||||
|
- stuff->nClients)
|
||||||
|
return BadLength;
|
||||||
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
|
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
|
||||||
|
return Success;
|
||||||
} /* SwapCreateRegister */
|
} /* SwapCreateRegister */
|
||||||
|
|
||||||
|
|
||||||
|
@ -2679,11 +2685,13 @@ static int
|
||||||
SProcRecordCreateContext(ClientPtr client)
|
SProcRecordCreateContext(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRecordCreateContextReq);
|
REQUEST(xRecordCreateContextReq);
|
||||||
|
int status;
|
||||||
register char n;
|
register char n;
|
||||||
|
|
||||||
swaps(&stuff->length, n);
|
swaps(&stuff->length, n);
|
||||||
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
||||||
SwapCreateRegister((pointer)stuff);
|
if ((status = SwapCreateRegister((pointer)stuff)) != Success)
|
||||||
|
return status;
|
||||||
return ProcRecordCreateContext(client);
|
return ProcRecordCreateContext(client);
|
||||||
} /* SProcRecordCreateContext */
|
} /* SProcRecordCreateContext */
|
||||||
|
|
||||||
|
@ -2692,11 +2700,13 @@ static int
|
||||||
SProcRecordRegisterClients(ClientPtr client)
|
SProcRecordRegisterClients(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRecordRegisterClientsReq);
|
REQUEST(xRecordRegisterClientsReq);
|
||||||
|
int status;
|
||||||
register char n;
|
register char n;
|
||||||
|
|
||||||
swaps(&stuff->length, n);
|
swaps(&stuff->length, n);
|
||||||
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
||||||
SwapCreateRegister((pointer)stuff);
|
if ((status = SwapCreateRegister((pointer)stuff)) != Success)
|
||||||
|
return status;
|
||||||
return ProcRecordRegisterClients(client);
|
return ProcRecordRegisterClients(client);
|
||||||
} /* SProcRecordRegisterClients */
|
} /* SProcRecordRegisterClients */
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user