Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)

Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit b747da5e25)
2015-01-09 10:15:46 -05:00 · 2015-01-09 10:15:46 -05:00 · 95f605b42d
commit 95f605b42d
parent cc41e5b581
1 changed files with 6 additions and 1 deletions
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
    prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
    auth_proto = (char *) prefix + sz_xConnClientPrefix;
    auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
-    if ((prefix->majorVersion != X_PROTOCOL) ||
+
+    if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+	pad_to_int32(prefix->nbytesAuthProto) +
+	pad_to_int32(prefix->nbytesAuthString))
+        reason = "Bad length";
+    else if ((prefix->majorVersion != X_PROTOCOL) ||
        (prefix->minorVersion != X_PROTOCOL_REVISION))
        reason = "Protocol version mismatch";
    else