os: Make sure big requests have sufficient length.

A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer. Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
author: Michal Srb <msrb@suse.com> 2017-07-07 17:04:03 +0200
committer: Eric Anholt <eric@anholt.net> 2017-10-09 17:08:33 -0700
commit: 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 (patch)
tree: f130b518bfe0d53625e26832c17f79811cc71cdd
parent: c2f2b25ab55c67f9f3ad07c02fa746eae7c61196 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/os/io.c b/os/io.c
index b0402912a..955c24924 100644
--- a/os/io.c
+++ b/os/io.c
@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
     if (!gotnow)
         AvailableInput = oc;
     if (move_header) {
+        if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+            YieldControlDeath();
+            return -1;
+        }
+
         request = (xReq *) oci->bufptr;
         oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
         *(xReq *) oci->bufptr = *request;
author	Michal Srb <msrb@suse.com>	2017-07-07 17:04:03 +0200
committer	Eric Anholt <eric@anholt.net>	2017-10-09 17:08:33 -0700
commit	9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 (patch)
tree	f130b518bfe0d53625e26832c17f79811cc71cdd
parent	c2f2b25ab55c67f9f3ad07c02fa746eae7c61196 (diff)