Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b747da5e25
)
This commit is contained in:
parent
cc41e5b581
commit
95f605b42d
|
@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
|
|||
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
|
||||
auth_proto = (char *) prefix + sz_xConnClientPrefix;
|
||||
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
|
||||
if ((prefix->majorVersion != X_PROTOCOL) ||
|
||||
|
||||
if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
|
||||
pad_to_int32(prefix->nbytesAuthProto) +
|
||||
pad_to_int32(prefix->nbytesAuthString))
|
||||
reason = "Bad length";
|
||||
else if ((prefix->majorVersion != X_PROTOCOL) ||
|
||||
(prefix->minorVersion != X_PROTOCOL_REVISION))
|
||||
reason = "Protocol version mismatch";
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue
Block a user