summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNathan Kidd <nkidd@opentext.com>2015-01-09 10:15:46 -0500
committerAdam Jackson <ajax@redhat.com>2017-10-12 12:25:41 -0400
commit95f605b42d8bbb6bea2834a1abfc205981c5b803 (patch)
treeeb9ff3063a848aef2d308c465d846e88950bce3e
parentcc41e5b581d287c56f8d7113a97a4882dcfdd696 (diff)
Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
-rw-r--r--dix/dispatch.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 0da431bf9..0fdfe117e 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else