Prevent OOB write with long file names.

If an -f argument is exactly 1022 characters in size, an off-by-one stack overflow happens in auth_finalize. The overflow could be even larger if locks are ignored for authentication files. Make sure that a given authentication file name fits into temporary buffer and that this buffer matches buffer sizes of libXau which is used by xauth.
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2020-05-03 12:29:53 +0200
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2020-05-10 18:03:48 +0000
commit: f5af3b21bc94cb020f3530c3cc70f8a9fd6c6452 (patch)
tree: 87c92b5b5608e9b0aaa0a57b0735510be655cc45
parent: cb98d3b3c5e0f8a7585ab6e2c909fad68c52fd55 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/process.c b/process.c
index 43f10e0..044611b 100644
--- a/process.c
+++ b/process.c
@@ -697,6 +697,10 @@ auth_initialize(const char *authfilename)
     FILE *authfp;
     Bool exists;
 
+    if (strlen(authfilename) > 1022) {
+	fprintf (stderr, "%s: authority file name \"%s\" too long\n",
+		 ProgramName, authfilename);
+    }
     xauth_filename = authfilename;    /* used in cleanup, prevent race with
                                          signals */
     register_signals ();
@@ -854,7 +858,7 @@ write_auth_file(char *tmp_nam)
 int
 auth_finalize(void)
 {
-    char temp_name[1024];	/* large filename size */
+    char temp_name[1025];	/* large filename size */
 
     if (xauth_modified) {
 	if (dieing) {
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2020-05-03 12:29:53 +0200
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2020-05-10 18:03:48 +0000
commit	f5af3b21bc94cb020f3530c3cc70f8a9fd6c6452 (patch)
tree	87c92b5b5608e9b0aaa0a57b0735510be655cc45
parent	cb98d3b3c5e0f8a7585ab6e2c909fad68c52fd55 (diff)