diff options
author | Rami Ylimäki <rami.ylimaki@vincit.fi> | 2011-10-04 12:25:26 +0300 |
---|---|---|
committer | Jeremy Huddleston <jeremyhu@apple.com> | 2011-11-18 11:26:02 -0800 |
commit | c1bb8f43b9290c2b18a9f0ac59773ff8f1eb974f (patch) | |
tree | 8592b42f3c19f75b64ce0e7ebd6061df1dd010a7 /os/io.c | |
parent | 1f5baa924a5907978f564372265d9830ac72a077 (diff) |
record: Prevent out of bounds access when recording a reply.
Any pad bytes in replies are written to the client from a zeroed
array. However, record extension tries to incorrectly access the pad
bytes from the end of reply data.
Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Diffstat (limited to 'os/io.c')
-rw-r--r-- | os/io.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -809,6 +809,7 @@ WriteToClient (ClientPtr who, int count, const void *__buf) replyinfo.client = who; replyinfo.replyData = buf; replyinfo.dataLenBytes = count + padBytes; + replyinfo.padBytes = padBytes; if (who->replyBytesRemaining) { /* still sending data of an earlier reply */ who->replyBytesRemaining -= count + padBytes; |