unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]

authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/rpcauth.c

unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
37e7fb1f · Alan Coopersmith · Mike Gabriel · b65259bf · 37e7fb1f
Commit 37e7fb1f authored Jan 17, 2014 by Alan Coopersmith Committed by Mike Gabriel Feb 14, 2015
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

rpcauth.c nx-X11/programs/Xserver/os/rpcauth.c +4 -0

No files found.
--- a/nx-X11/programs/Xserver/os/rpcauth.c
+++ b/nx-X11/programs/Xserver/os/rpcauth.c
@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len)
    SVCXPRT         xprt;
    temp_inmsg = (char *) xalloc(len);
+    if (temp_inmsg == NULL) {
+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+        return NULL;
+    }
    memmove(temp_inmsg, inmsg, len);
    memset((char *)&msg, 0, sizeof(msg));