From 67a3319d73a3484b5acbf8ac2b45ca4b80206b4c Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Tue, 6 Aug 2024 15:58:44 +0200 Subject: [PATCH] Xext: security: fix length checking with bigreq The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult Part-of: --- Xext/security.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Xext/security.c b/Xext/security.c index 762513db1..f6eefc4a7 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -636,10 +636,10 @@ SProcSecurityGenerateAuthorization(ClientPtr client) values_offset = bytes_to_int32(stuff->nbytesAuthProto) + bytes_to_int32(stuff->nbytesAuthData); if (values_offset > - stuff->length - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq)) + client->req_len - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq)) return BadLength; values = (CARD32 *) (&stuff[1]) + values_offset; - nvalues = (((CARD32 *) stuff) + stuff->length) - values; + nvalues = (((CARD32 *) stuff) + client->req_len) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); } /* SProcSecurityGenerateAuthorization */