andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

os: Make sure big requests have sufficient length.

Browse Source 
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF.  Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.

Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 9c23685009)
This commit is contained in:
Michal Srb 2017-07-07 17:04:03 +02:00 committed by Adam Jackson
parent 784d205ff6
commit e751722a7b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
os/io.c
View File

@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
if (!gotnow)
AvailableInput = oc;
if (move_header) {
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
YieldControlDeath();
return -1;
}
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;