Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
4ca68b878e
commit
b747da5e25
|
@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client)
|
|||
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
|
||||
auth_proto = (char *) prefix + sz_xConnClientPrefix;
|
||||
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
|
||||
if ((prefix->majorVersion != X_PROTOCOL) ||
|
||||
|
||||
if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
|
||||
pad_to_int32(prefix->nbytesAuthProto) +
|
||||
pad_to_int32(prefix->nbytesAuthString))
|
||||
reason = "Bad length";
|
||||
else if ((prefix->majorVersion != X_PROTOCOL) ||
|
||||
(prefix->minorVersion != X_PROTOCOL_REVISION))
|
||||
reason = "Protocol version mismatch";
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue