[X2Go-Dev] [X2Go-Commits] [nx-libs] 19/52: CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d

Mihai Moldovan ionic at ionic.de
Sun Feb 15 20:18:37 CET 2015


On 14.02.2015 05:47 PM, git-admin at x2go.org wrote:
> This is an automated email from the git hooks/post-receive script.
>
> x2go pushed a commit to branch 3.6.x
> in repository nx-libs.
>
> commit 94c6de0649cd295044b1e4ff7265949c9c787519
> Author: Mike DePaulo <mikedep333 at gmail.com>
> Date:   Sun Feb 8 21:03:33 2015 -0500
>
>     CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d
>     
>     The connection setup reply from the font server can include a list
>     of alternate servers to contact if this font server stops working.
>     
>     The reply specifies a total size of all the font server names, and
>     then provides a list of names. _fs_recv_conn_setup() allocated the
>     specified total size for copying the names to, but didn't check to
>     make sure it wasn't copying more data to that buffer than the size
>     it had allocated.
> ---
>  nx-X11/lib/font/fc/fserve.c |   21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
> index bac0b8e..0fdcc1d 100644
> --- a/nx-X11/lib/font/fc/fserve.c
> +++ b/nx-X11/lib/font/fc/fserve.c
> @@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
>      int			ret;
>      fsConnSetup		*setup;
>      FSFpeAltPtr		alts;
> -    int			i, alt_len;
> +    unsigned int	i, alt_len;
>      int			setup_len;
>      char		*alt_save, *alt_names;
>      
> @@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
>  	}
>  	if (setup->num_alternates)
>  	{
> +	    size_t alt_name_len = setup->alternate_len << 2;
>  	    alts = (FSFpeAltPtr) xalloc (setup->num_alternates * 
> -					 sizeof (FSFpeAltRec) +
> -					 (setup->alternate_len << 2));
> +					 sizeof (FSFpeAltRec) + alt_name_len);
>  	    if (alts)
>  	    {
>  		alt_names = (char *) (setup + 1);
> @@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
>  		{
>  		    alts[i].subset = alt_names[0];
>  		    alt_len = alt_names[1];
> +		    if (alt_len >= alt_name_len) {
> +			/*
> +			 * Length is longer than setup->alternate_len
> +			 * told us to allocate room for, assume entire
> +			 * alternate list is corrupted.
> +			 */
> +#ifdef DEBUG
> +			fprintf (stderr,
> +				 "invalid alt list (length %lx >= %lx)\n",
> +				 (long) alt_len, (long) alt_name_len);
> +#endif
> +			free(alts);

Shouldn't this be xfree(alts) if using xalloc previously?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150215/5d2edc3f/attachment.pgp>


More information about the x2go-dev mailing list