Commit 95f605b4 authored by Nathan Kidd's avatar Nathan Kidd Committed by Adam Jackson
Browse files

Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)


Reviewed-by: Julien Cristau's avatarJulien Cristau <jcristau@debian.org>
Signed-off-by: default avatarNathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau's avatarJulien Cristau <jcristau@debian.org>
(cherry picked from commit b747da5e)
parent cc41e5b5
......@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
if ((prefix->majorVersion != X_PROTOCOL) ||
if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
pad_to_int32(prefix->nbytesAuthProto) +
pad_to_int32(prefix->nbytesAuthString))
reason = "Bad length";
else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment