Commit ea823965 authored by Kees Cook's avatar Kees Cook Committed by Ulrich Sibiller

libX11: check size of GetReqExtra after XFlush

Two users of GetReqExtra pass arbitrarily sized allocations from the caller (ModMap and Host). Adjust _XGetRequest() (called by the GetReqExtra macro) to double-check the requested length and invalidate "req" when this happens. Users of GetReqExtra passing lengths greater than the Xlib buffer size (normally 16K) must check "req" and fail gracefully instead of crashing. Any callers of GetReqExtra that do not check "req" for NULL will experience this change, in the pathological case, as a NULL dereference instead of a buffer overflow. This is an improvement, but the documentation for GetReqExtra has been updated to reflect the need to check the value of "req" after the call. Bug that manifested the problem: https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/792628Signed-off-by: 's avatarKees Cook <kees@outflux.net> Reviewed-by: 's avatarAlan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: 's avatarAlan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: 's avatarUlrich Sibiller <uli42@gmx.de>
parent 39c6e5aa
......@@ -65,9 +65,9 @@ XGetModifierMapping(register Display *dpy)
/*
* Returns:
* 0 Success
* 1 Busy - one or more old or new modifiers are down
* 2 Failed - one or more new modifiers unacceptable
* MappingSuccess (0) Success
* MappingBusy (1) Busy - one or more old or new modifiers are down
* MappingFailed (2) Failed - one or more new modifiers unacceptable
*/
int
XSetModifierMapping(
......@@ -80,6 +80,10 @@ XSetModifierMapping(
LockDisplay(dpy);
GetReqExtra(SetModifierMapping, mapSize, req);
if (!req) {
UnlockDisplay(dpy);
return MappingFailed;
}
req->numKeyPerModifier = modifier_map->max_keypermod;
......
......@@ -3980,6 +3980,14 @@ void *_XGetRequest(Display *dpy, CARD8 type, size_t len)
if (dpy->bufptr + len > dpy->bufmax)
_XFlush(dpy);
/* Request still too large, so do not allow it to overflow. */
if (dpy->bufptr + len > dpy->bufmax) {
fprintf(stderr,
"Xlib: request %d length %zd would exceed buffer size.\n",
type, len);
/* Changes failure condition from overflow to NULL dereference. */
return NULL;
}
if (len % 4)
fprintf(stderr,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment