diff options
author | herrb <herrb> | 2001-02-08 21:13:14 +0000 |
---|---|---|
committer | herrb <herrb> | 2001-02-08 21:13:14 +0000 |
commit | 6a049437e8c05d0d3aed851f2100b986d340feb1 (patch) | |
tree | f180ca0fd4257ea3b6cc790f1c47df1c1d839973 | |
parent | 3142dde9866c8b1f8c98bdefd2099d99249ac6ad (diff) |
pull patch for libICE denial of service from 4.0.2 (#4450, Branden Robinson)
-rw-r--r-- | lib/ICE/ICElibint.h | 14 | ||||
-rw-r--r-- | lib/ICE/process.c | 55 |
2 files changed, 49 insertions, 20 deletions
diff --git a/lib/ICE/ICElibint.h b/lib/ICE/ICElibint.h index 27d3a7aeb..679bf067f 100644 --- a/lib/ICE/ICElibint.h +++ b/lib/ICE/ICElibint.h @@ -288,20 +288,24 @@ typedef struct { } -#define SKIP_STRING(_pBuf, _swap) \ +#define SKIP_STRING(_pBuf, _swap, _end) \ { \ CARD16 _len; \ EXTRACT_CARD16 (_pBuf, _swap, _len); \ - _pBuf += _len; \ - if (PAD32 (2 + _len)) \ + if ((_pBuf+_len) < _end) { \ + _pBuf += _len; \ + if ( (PAD32 (2 + _len)) && ( (PAD32(2+_len) + _pBuf < _end) )) \ _pBuf += PAD32 (2 + _len); \ + } else {\ + return(0);\ + }\ } -#define SKIP_LISTOF_STRING(_pBuf, _swap, _count) \ +#define SKIP_LISTOF_STRING(_pBuf, _swap, _count, _end) \ { \ int _i; \ for (_i = 0; _i < _count; _i++) \ - SKIP_STRING (_pBuf, _swap); \ + SKIP_STRING (_pBuf, _swap, _end); \ } diff --git a/lib/ICE/process.c b/lib/ICE/process.c index 8e725f12a..796e86f93 100644 --- a/lib/ICE/process.c +++ b/lib/ICE/process.c @@ -1,4 +1,5 @@ /* $XConsortium: process.c,v 1.43 94/08/25 15:44:43 mor Exp $ */ +/* $XFree86: xc/lib/ICE/process.c,v 3.0 1994/06/28 12:19:30 dawes Exp $ */ /****************************************************************************** @@ -31,6 +32,9 @@ Author: Ralph Mor, X Consortium #include <X11/ICE/ICElib.h> #include "ICElibint.h" +#ifdef MINIX +#include <X11/Xtrans.h> +#endif /* * Check for bad length @@ -815,7 +819,7 @@ Bool swap; int myAuthCount, hisAuthCount; int found, i, j; char *myAuthName, **hisAuthNames; - char *pData, *pStart; + char *pData, *pStart, *pEnd; char *vendor = NULL; char *release = NULL; int myAuthIndex = 0; @@ -839,10 +843,11 @@ Bool swap; } pData = pStart; + pEnd = pStart + (length << 3); - SKIP_STRING (pData, swap); /* vendor */ - SKIP_STRING (pData, swap); /* release */ - SKIP_LISTOF_STRING (pData, swap, (int) message->authCount);/* auth names */ + SKIP_STRING (pData, swap, pEnd); /* vendor */ + SKIP_STRING (pData, swap, pEnd); /* release */ + SKIP_LISTOF_STRING (pData, swap, (int) message->authCount, pEnd);/* auth names */ pData += (message->versionCount * 4); /* versions */ CHECK_COMPLETE_SIZE (iceConn, ICE_ConnectionSetup, @@ -1681,7 +1686,7 @@ IceReplyWaitInfo *replyWait; { iceConnectionReplyMsg *message; - char *pData, *pStart; + char *pData, *pStart, *pEnd; Bool replyReady; CHECK_AT_LEAST_SIZE (iceConn, ICE_ConnectionReply, @@ -1697,9 +1702,10 @@ IceReplyWaitInfo *replyWait; } pData = pStart; + pEnd = pStart + (length << 3); - SKIP_STRING (pData, swap); /* vendor */ - SKIP_STRING (pData, swap); /* release */ + SKIP_STRING (pData, swap, pEnd); /* vendor */ + SKIP_STRING (pData, swap, pEnd); /* release */ CHECK_COMPLETE_SIZE (iceConn, ICE_ConnectionReply, length, pData - pStart + SIZEOF (iceConnectionReplyMsg), @@ -1785,7 +1791,7 @@ Bool swap; int found, i, j; char *myAuthName, **hisAuthNames; char *protocolName; - char *pData, *pStart; + char *pData, *pStart, *pEnd; char *vendor = NULL; char *release = NULL; int accept_setup_now = 0; @@ -1820,11 +1826,12 @@ Bool swap; } pData = pStart; + pEnd = pStart + (length << 3); - SKIP_STRING (pData, swap); /* proto name */ - SKIP_STRING (pData, swap); /* vendor */ - SKIP_STRING (pData, swap); /* release */ - SKIP_LISTOF_STRING (pData, swap, (int) message->authCount);/* auth names */ + SKIP_STRING (pData, swap, pEnd); /* proto name */ + SKIP_STRING (pData, swap, pEnd); /* vendor */ + SKIP_STRING (pData, swap, pEnd); /* release */ + SKIP_LISTOF_STRING (pData, swap, (int) message->authCount, pEnd);/* auth names */ pData += (message->versionCount * 4); /* versions */ CHECK_COMPLETE_SIZE (iceConn, ICE_ProtocolSetup, @@ -2166,7 +2173,7 @@ IceReplyWaitInfo *replyWait; { iceProtocolReplyMsg *message; - char *pData, *pStart; + char *pData, *pStart, *pEnd; Bool replyReady; CHECK_AT_LEAST_SIZE (iceConn, ICE_ProtocolReply, @@ -2182,9 +2189,10 @@ IceReplyWaitInfo *replyWait; } pData = pStart; + pEnd = pStart + (length << 3); - SKIP_STRING (pData, swap); /* vendor */ - SKIP_STRING (pData, swap); /* release */ + SKIP_STRING (pData, swap, pEnd); /* vendor */ + SKIP_STRING (pData, swap, pEnd); /* release */ CHECK_COMPLETE_SIZE (iceConn, ICE_ProtocolReply, length, pData - pStart + SIZEOF (iceProtocolReplyMsg), @@ -2489,3 +2497,20 @@ Bool *connectionClosedRet; if (replyWait) *replyReadyRet = replyReady; } + + +#ifdef MINIX +int +MNX_IceMessagesAvailable(iceConn) + +IceConn iceConn; +{ + BytesReadable_t bytes; + + _IceTransSetOption(iceConn->trans_conn, TRANS_NONBLOCKING, 1); + if (_IceTransBytesReadable(iceConn->trans_conn, &bytes) < 0) + bytes= -1; + _IceTransSetOption(iceConn->trans_conn, TRANS_NONBLOCKING, 0); + return (bytes != 0); +} +#endif |