[X2Go-Commits] [nx-libs] 35/52: dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]

git-admin at x2go.org git-admin at x2go.org
Sat Feb 14 17:47:14 CET 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit 985ca320f841bd9a3efc484f92436b3d65ec1b31
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Wed Jan 22 23:12:04 2014 -0800

    dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
    
    ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
    from a buffer. The length is never validated, which can lead to out of
    bound reads, and possibly returning the data read from out of bounds to
    the misbehaving client via an X Error packet.
    
    SProcDbeSwapBuffers() swaps data (for correct endianness) before
    handing it off to the real proc.  While doing the swapping, the
    length field is not validated, which can cause memory corruption.
    
    v2: reorder checks to avoid compilers optimizing out checks for overflow
    that happen after we'd already have done the overflowing multiplications.
    v3: backport to nx-libs 3.6.x (Mike DePaulo)
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
    
    Conflicts:
    	dbe/dbe.c
---
 nx-X11/programs/Xserver/dbe/dbe.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c
index c0d6131..5a1e9b0 100644
--- a/nx-X11/programs/Xserver/dbe/dbe.c
+++ b/nx-X11/programs/Xserver/dbe/dbe.c
@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client)
     DbeSwapInfoPtr	swapInfo;
     xDbeSwapInfo	*dbeSwapInfo;
     int			error;
-    register int	i, j;
-    int			nStuff;
+    unsigned int	i, j;
+    unsigned int	nStuff;
 
 
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client)
 
     if (nStuff == 0)
     {
+        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
         return(Success);
     }
 
     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
 	    return BadAlloc;
+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
 
     /* Get to the swap info appended to the end of the request. */
     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client)
     ClientPtr client;
 {
     REQUEST(xDbeSwapBuffersReq);
-    register int	i, n;
+    unsigned int	i, n;
     xDbeSwapInfo	*pSwapInfo;
 
 
@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client)
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
 
     swapl(&stuff->n, n);
+    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+        return BadAlloc;
+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
 
     if (stuff->n != 0)
     { 

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git


More information about the x2go-commits mailing list