Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)

Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
author: Nathan Kidd <nkidd@opentext.com> 2015-01-09 10:15:46 -0500
committer: Julien Cristau <jcristau@debian.org> 2017-10-10 23:33:44 +0200
commit: b747da5e25be944337a9cd1415506fc06b70aa81 (patch)
tree: 2d4cba2c9b4ea629271757267520b12e8083e952
parent: 4ca68b878e851e2136c234f40a25008297d8d831 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 8b371b678..176c7a0dd 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client)
     prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
     auth_proto = (char *) prefix + sz_xConnClientPrefix;
     auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
-    if ((prefix->majorVersion != X_PROTOCOL) ||
+
+    if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+	pad_to_int32(prefix->nbytesAuthProto) +
+	pad_to_int32(prefix->nbytesAuthString))
+        reason = "Bad length";
+    else if ((prefix->majorVersion != X_PROTOCOL) ||
         (prefix->minorVersion != X_PROTOCOL_REVISION))
         reason = "Protocol version mismatch";
     else
author	Nathan Kidd <nkidd@opentext.com>	2015-01-09 10:15:46 -0500
committer	Julien Cristau <jcristau@debian.org>	2017-10-10 23:33:44 +0200
commit	b747da5e25be944337a9cd1415506fc06b70aa81 (patch)
tree	2d4cba2c9b4ea629271757267520b12e8083e952
parent	4ca68b878e851e2136c234f40a25008297d8d831 (diff)