Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
4ca68b878e
commit
b747da5e25
|
@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client)
|
||||||
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
|
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
|
||||||
auth_proto = (char *) prefix + sz_xConnClientPrefix;
|
auth_proto = (char *) prefix + sz_xConnClientPrefix;
|
||||||
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
|
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
|
||||||
if ((prefix->majorVersion != X_PROTOCOL) ||
|
|
||||||
|
if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
|
||||||
|
pad_to_int32(prefix->nbytesAuthProto) +
|
||||||
|
pad_to_int32(prefix->nbytesAuthString))
|
||||||
|
reason = "Bad length";
|
||||||
|
else if ((prefix->majorVersion != X_PROTOCOL) ||
|
||||||
(prefix->minorVersion != X_PROTOCOL_REVISION))
|
(prefix->minorVersion != X_PROTOCOL_REVISION))
|
||||||
reason = "Protocol version mismatch";
|
reason = "Protocol version mismatch";
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue
Block a user