os: Account for bytes to ignore when sharing input buffer
When reading requests from the clients, the input buffer might be shared and used between different clients. If a given client sends a full request with non-zero bytes to ignore, the bytes to ignore may still be non-zero even though the request is full, in which case the buffer could be shared with another client who's request will not be processed because of those bytes to ignore, leading to a possible hang of the other client request. To avoid the issue, make sure we have zero bytes to ignore left in the input request when sharing the input buffer with another client. CVE-2025-49178 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and reported by Julian Suleder via ERNW Vulnerability Disclosure. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
This commit is contained in:
Olivier Fourdan
Enrico Weigelt
parent
a1e44d3c4f
commit
0d6af5a542
2
os/io.c
2
os/io.c
|
|
@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client)
|
||||||
*/
|
*/
|
||||||
|
|
||||||
gotnow -= needed;
|
gotnow -= needed;
|
||||||
if (!gotnow)
|
if (!gotnow && !oci->ignoreBytes)
|
||||||
AvailableInput = oc;
|
AvailableInput = oc;
|
||||||
if (move_header) {
|
if (move_header) {
|
||||||
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
|
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue