diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-05-03 12:29:53 +0200 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2020-05-10 18:03:48 +0000 |
commit | f5af3b21bc94cb020f3530c3cc70f8a9fd6c6452 (patch) | |
tree | 87c92b5b5608e9b0aaa0a57b0735510be655cc45 | |
parent | cb98d3b3c5e0f8a7585ab6e2c909fad68c52fd55 (diff) |
Prevent OOB write with long file names.
If an -f argument is exactly 1022 characters in size, an off-by-one
stack overflow happens in auth_finalize. The overflow could be even
larger if locks are ignored for authentication files.
Make sure that a given authentication file name fits into temporary
buffer and that this buffer matches buffer sizes of libXau which is
used by xauth.
-rw-r--r-- | process.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -697,6 +697,10 @@ auth_initialize(const char *authfilename) FILE *authfp; Bool exists; + if (strlen(authfilename) > 1022) { + fprintf (stderr, "%s: authority file name \"%s\" too long\n", + ProgramName, authfilename); + } xauth_filename = authfilename; /* used in cleanup, prevent race with signals */ register_signals (); @@ -854,7 +858,7 @@ write_auth_file(char *tmp_nam) int auth_finalize(void) { - char temp_name[1024]; /* large filename size */ + char temp_name[1025]; /* large filename size */ if (xauth_modified) { if (dieing) { |