summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEamon Walsh <ewalsh@tycho.nsa.gov>2009-04-08 15:10:16 -0400
committerEamon Walsh <ewalsh@tycho.nsa.gov>2009-04-08 15:10:16 -0400
commite8b324102f6e21ae2b8292a6f50d016dd6254dd6 (patch)
treef6faa29c0c1e92c9fac89666f1bc59555d104eb5
parentdf27b870a8db7a5153b18a556fe77efa590f9eee (diff)
xselinux: Don't require incoming context strings to be null-terminated.
-rw-r--r--Xext/xselinux.c66
1 files changed, 45 insertions, 21 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 4a1fe004b..399e28ad4 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -1258,6 +1258,17 @@ typedef struct {
CARD32 id;
} SELinuxListItemRec;
+static security_context_t
+SELinuxCopyContext(char *ptr, unsigned len)
+{
+ security_context_t copy = xalloc(len + 1);
+ if (!copy)
+ return NULL;
+ strncpy(copy, ptr, len);
+ copy[len] = '\0';
+ return copy;
+}
+
static int
ProcSELinuxQueryVersion(ClientPtr client)
{
@@ -1315,29 +1326,34 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset)
{
PrivateRec **privPtr = &client->devPrivates;
security_id_t *pSid;
- security_context_t ctx;
+ security_context_t ctx = NULL;
char *ptr;
+ int rc;
REQUEST(SELinuxSetCreateContextReq);
REQUEST_FIXED_SIZE(SELinuxSetCreateContextReq, stuff->context_len);
- ctx = (char *)(stuff + 1);
- if (stuff->context_len > 0 && ctx[stuff->context_len - 1])
- return BadLength;
+ if (stuff->context_len > 0) {
+ ctx = SELinuxCopyContext((char *)(stuff + 1), stuff->context_len);
+ if (!ctx)
+ return BadAlloc;
+ }
if (offset == CTX_DEV) {
/* Device create context currently requires manage permission */
- int rc = XaceHook(XACE_SERVER_ACCESS, client, DixManageAccess);
+ rc = XaceHook(XACE_SERVER_ACCESS, client, DixManageAccess);
if (rc != Success)
- return rc;
+ goto out;
privPtr = &serverClient->devPrivates;
}
else if (offset == USE_SEL) {
/* Selection use context currently requires no selections owned */
Selection *pSel;
for (pSel = CurrentSelections; pSel; pSel = pSel->next)
- if (pSel->client == client)
- return BadMatch;
+ if (pSel->client == client) {
+ rc = BadMatch;
+ goto out;
+ }
}
ptr = dixLookupPrivate(privPtr, subjectKey);
@@ -1345,13 +1361,15 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset)
sidput(*pSid);
*pSid = NULL;
+ rc = Success;
if (stuff->context_len > 0) {
- if (security_check_context_raw(ctx) < 0)
- return BadValue;
- if (avc_context_to_sid_raw(ctx, pSid) < 0)
- return BadValue;
+ if (security_check_context_raw(ctx) < 0 ||
+ avc_context_to_sid_raw(ctx, pSid) < 0)
+ rc = BadValue;
}
- return Success;
+out:
+ xfree(ctx);
+ return rc;
}
static int
@@ -1384,18 +1402,21 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
REQUEST(SELinuxSetContextReq);
REQUEST_FIXED_SIZE(SELinuxSetContextReq, stuff->context_len);
- ctx = (char *)(stuff + 1);
- if (stuff->context_len < 1 || ctx[stuff->context_len - 1])
+ if (stuff->context_len < 1)
return BadLength;
+ ctx = SELinuxCopyContext((char *)(stuff + 1), stuff->context_len);
+ if (!ctx)
+ return BadAlloc;
rc = dixLookupDevice(&dev, stuff->id, client, DixManageAccess);
if (rc != Success)
- return rc;
+ goto out;
- if (security_check_context_raw(ctx) < 0)
- return BadValue;
- if (avc_context_to_sid_raw(ctx, &sid) < 0)
- return BadValue;
+ if (security_check_context_raw(ctx) < 0 ||
+ avc_context_to_sid_raw(ctx, &sid) < 0) {
+ rc = BadValue;
+ goto out;
+ }
subj = dixLookupPrivate(&dev->devPrivates, subjectKey);
sidput(subj->sid);
@@ -1404,7 +1425,10 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
sidput(obj->sid);
sidget(obj->sid = sid);
- return Success;
+ rc = Success;
+out:
+ xfree(ctx);
+ return rc;
}
static int