You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35 lines
1.0 KiB
35 lines
1.0 KiB
From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 |
|
From: Peter Hutterer <peter.hutterer@who-t.net> |
|
Date: Tue, 5 Jul 2022 12:06:20 +1000 |
|
Subject: [PATCH xserver] xkb: proof GetCountedString against request length |
|
attacks |
|
|
|
GetCountedString did a check for the whole string to be within the |
|
request buffer but not for the initial 2 bytes that contain the length |
|
field. A swapped client could send a malformed request to trigger a |
|
swaps() on those bytes, writing into random memory. |
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
|
--- |
|
xkb/xkb.c | 5 +++++ |
|
1 file changed, 5 insertions(+) |
|
|
|
diff --git a/xkb/xkb.c b/xkb/xkb.c |
|
index f42f59ef3..1841cff26 100644 |
|
--- a/xkb/xkb.c |
|
+++ b/xkb/xkb.c |
|
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) |
|
CARD16 len; |
|
|
|
wire = *wire_inout; |
|
+ |
|
+ if (client->req_len < |
|
+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) |
|
+ return BadValue; |
|
+ |
|
len = *(CARD16 *) wire; |
|
if (client->swapped) { |
|
swaps(&len); |
|
-- |
|
2.38.1 |
|
|
|
|