diff options
author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-08 11:16:55 -0600 |
---|---|---|
committer | Matthieu Herrb <matthieu@bluenote.herrb.net> | 2008-06-10 11:43:35 -0600 |
commit | 8ffaf613705a915c4b53ae11096dacd786fd1d22 (patch) | |
tree | d5be73b088b2a7c9f5573556416593d490a44bba | |
parent | 702e709973252d596be736c2f5c0de4837446501 (diff) |
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
-rw-r--r-- | Xext/security.c | 10 | ||||
-rw-r--r-- | record/record.c | 16 |
2 files changed, 20 insertions, 6 deletions
diff --git a/Xext/security.c b/Xext/security.c index 14ad354cf..a8a75ea6c 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/record/record.c b/record/record.c index 0ed8f84c2..9a166d67b 100644 --- a/record/record.c +++ b/record/record.c @@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client) } /* SProcRecordQueryVersion */ -static void +static int SwapCreateRegister(xRecordRegisterClientsReq *stuff) { register char n; @@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff) swapl(&stuff->nClients, n); swapl(&stuff->nRanges, n); pClientID = (XID *)&stuff[1]; + if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) + return BadLength; for (i = 0; i < stuff->nClients; i++, pClientID++) { swapl(pClientID, n); } + if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) + - stuff->nClients) + return BadLength; RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); + return Success; } /* SwapCreateRegister */ @@ -2679,11 +2685,13 @@ static int SProcRecordCreateContext(ClientPtr client) { REQUEST(xRecordCreateContextReq); + int status; register char n; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); - SwapCreateRegister((pointer)stuff); + if ((status = SwapCreateRegister((pointer)stuff)) != Success) + return status; return ProcRecordCreateContext(client); } /* SProcRecordCreateContext */ @@ -2692,11 +2700,13 @@ static int SProcRecordRegisterClients(ClientPtr client) { REQUEST(xRecordRegisterClientsReq); + int status; register char n; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); - SwapCreateRegister((pointer)stuff); + if ((status = SwapCreateRegister((pointer)stuff)) != Success) + return status; return ProcRecordRegisterClients(client); } /* SProcRecordRegisterClients */ |