summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Srb <msrb@suse.com>2017-07-07 17:04:03 +0200
committerAdam Jackson <ajax@redhat.com>2017-10-12 12:24:49 -0400
commite751722a7b0c5b595794e60b054ade0b3f6cdb4d (patch)
tree6465d7f3a7c906e9f75749140bae64a445df5cf0
parent784d205ff6527c761ffbb1c43c9ad3669dd8d26e (diff)
os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer. Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
-rw-r--r--os/io.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/os/io.c b/os/io.c
index f80580cfc..70f07f3be 100644
--- a/os/io.c
+++ b/os/io.c
@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
if (!gotnow)
AvailableInput = oc;
if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+ YieldControlDeath();
+ return -1;
+ }
+
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;