diff options
author | Nathan Kidd <nkidd@opentext.com> | 2015-01-09 10:15:46 -0500 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2017-10-10 23:33:44 +0200 |
commit | b747da5e25be944337a9cd1415506fc06b70aa81 (patch) | |
tree | 2d4cba2c9b4ea629271757267520b12e8083e952 | |
parent | 4ca68b878e851e2136c234f40a25008297d8d831 (diff) |
Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
-rw-r--r-- | dix/dispatch.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/dix/dispatch.c b/dix/dispatch.c index 8b371b678..176c7a0dd 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client) prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); auth_proto = (char *) prefix + sz_xConnClientPrefix; auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); - if ((prefix->majorVersion != X_PROTOCOL) || + + if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + + pad_to_int32(prefix->nbytesAuthProto) + + pad_to_int32(prefix->nbytesAuthString)) + reason = "Bad length"; + else if ((prefix->majorVersion != X_PROTOCOL) || (prefix->minorVersion != X_PROTOCOL_REVISION)) reason = "Protocol version mismatch"; else |