summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu.herrb@laas.fr>2008-06-10 12:20:00 -0600
committerJeremy Huddleston <jeremyhu@freedesktop.org>2008-06-11 11:33:36 -0700
commit2af571dbf176a1f77c2235d750356663f7e70282 (patch)
treedb303d94a59230096c0faef2bcff840168832bfc
parent817b20030b073f9e92c77c0f6887d080c99ae6df (diff)
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption. (cherry picked from commit 95d162c4389857d960da9b0158345c1714e91f31)
-rw-r--r--Xext/security.c10
-rw-r--r--record/record.c16
2 files changed, 20 insertions, 6 deletions
diff --git a/Xext/security.c b/Xext/security.c
index ac762794a..7e8a06e38 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index 0ed8f84c2..9a166d67b 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2679,11 +2685,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2692,11 +2700,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */