summaryrefslogtreecommitdiff
path: root/os/io.c
diff options
context:
space:
mode:
authorRami Ylimäki <rami.ylimaki@vincit.fi>2011-10-04 12:25:26 +0300
committerJeremy Huddleston <jeremyhu@apple.com>2011-11-18 11:26:02 -0800
commitc1bb8f43b9290c2b18a9f0ac59773ff8f1eb974f (patch)
tree8592b42f3c19f75b64ce0e7ebd6061df1dd010a7 /os/io.c
parent1f5baa924a5907978f564372265d9830ac72a077 (diff)
record: Prevent out of bounds access when recording a reply.
Any pad bytes in replies are written to the client from a zeroed array. However, record extension tries to incorrectly access the pad bytes from the end of reply data. Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi> Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Diffstat (limited to 'os/io.c')
-rw-r--r--os/io.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/os/io.c b/os/io.c
index 068f5f028..955bf8b73 100644
--- a/os/io.c
+++ b/os/io.c
@@ -809,6 +809,7 @@ WriteToClient (ClientPtr who, int count, const void *__buf)
replyinfo.client = who;
replyinfo.replyData = buf;
replyinfo.dataLenBytes = count + padBytes;
+ replyinfo.padBytes = padBytes;
if (who->replyBytesRemaining)
{ /* still sending data of an earlier reply */
who->replyBytesRemaining -= count + padBytes;