Commit d81da209 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Matthieu Herrb

Validation of server response in XListHosts.

If a server sends an incorrect length in its response, a client is prone
to perform an out of boundary read while processing the data.

The length field of xHostEntry is used to specify the amount of bytes
used to represent the address. It is 16 bit, which means that it is not
possible to perform an arbitrary memory access, but it might be enough
to read sensitive information, e.g. malloc-related pointers and offsets.
Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb's avatarMatthieu Herrb <matthieu@herrb.eu>
parent b676e623
......@@ -119,11 +119,16 @@ XHostAddress *XListHosts (
_XRead (dpy, (char *) buf, nbytes);
for (i = 0; i < reply.nHosts; i++) {
if (bp > buf + nbytes - SIZEOF(xHostEntry))
goto fail;
op->family = ((xHostEntry *) bp)->family;
op->length =((xHostEntry *) bp)->length;
if (op->family == FamilyServerInterpreted) {
char *tp = (char *) (bp + SIZEOF(xHostEntry));
char *vp = memchr(tp, 0, op->length);
char *vp;
if (tp > (char *) (buf + nbytes - op->length))
goto fail;
vp = memchr(tp, 0, op->length);
if (vp != NULL) {
sip->type = tp;
......@@ -138,6 +143,8 @@ XHostAddress *XListHosts (
sip++;
} else {
op->address = (char *) (bp + SIZEOF(xHostEntry));
if (op->address > (char *) (buf + nbytes - op->length))
goto fail;
}
bp += SIZEOF(xHostEntry) + (((op->length + 3) >> 2) << 2);
op++;
......@@ -149,9 +156,9 @@ XHostAddress *XListHosts (
UnlockDisplay(dpy);
SyncHandle();
return (outbuf);
fail:
*enabled = reply.enabled;
*nhosts = 0;
Xfree(outbuf);
return (NULL);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment