[X2Go-Commits] [nx-libs] 30/52: unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]

[git-admin at x2go.org]

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Jan 17 18:54:03 2014 -0800

    unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
    
    authdes_ezdecode() calls malloc() using a length provided by the
    connection handshake sent by a newly connected client in order
    to authenticate to the server, so should be treated as untrusted.
    
    It didn't check if malloc() failed before writing to the newly
    allocated buffer, so could lead to a server crash if the server
    fails to allocate memory (up to UINT16_MAX bytes, since the len
    field is a CARD16 in the X protocol).
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
    
    Conflicts:
    	os/rpcauth.c
---
 nx-X11/programs/Xserver/os/rpcauth.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c
index 3c5cb59..a12931e 100644
--- a/nx-X11/programs/Xserver/os/rpcauth.c
+++ b/nx-X11/programs/Xserver/os/rpcauth.c
@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len)
     SVCXPRT         xprt;
 
     temp_inmsg = (char *) xalloc(len);
+    if (temp_inmsg == NULL) {
+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+        return NULL;
+    }
     memmove(temp_inmsg, inmsg, len);
 
     memset((char *)&msg, 0, sizeof(msg));

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git