Commit 11beef0b authored by Peter Hutterer's avatar Peter Hutterer
Browse files

xkb: proof GetCountedString against request length attacks



GetCountedString did a check for the whole string to be within the
request buffer but not for the initial 2 bytes that contain the length
field. A swapped client could send a malformed request to trigger a
swaps() on those bytes, writing into random memory.

Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
parent 1bb7767f
Pipeline #644843 passed with stages
in 2 minutes and 15 seconds
......@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
CARD16 len;
wire = *wire_inout;
if (client->req_len <
bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
return BadValue;
len = *(CARD16 *) wire;
if (client->swapped) {
swaps(&len);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment