frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CVE-2008-1377 - RECORD and Security extensions memory corruption 

Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
This commit is contained in:
Matthieu Herrb 2008-06-10 12:20:00 -06:00 committed by Matthieu Herrb
parent 656d5d9885
commit 95d162c438
2 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Xext/security.c
View File

@ -676,15 +676,19 @@ SProcSecurityGenerateAuthorization(
char n; char n;
CARD32 *values; CARD32 *values;
unsigned long nvalues; unsigned long nvalues;
int values_offset;
swaps(&stuff->length, n); swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n); swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n); swapl(&stuff->valueMask, n);
values = (CARD32 *)(&stuff[1]) + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
((stuff->nbytesAuthProto + (unsigned)3) >> 2) + ((stuff->nbytesAuthData + (unsigned)3) >> 2);
((stuff->nbytesAuthData + (unsigned)3) >> 2); if (values_offset >
stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
return BadLength;
values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values; nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues); SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client); return ProcSecurityGenerateAuthorization(client);

16
record/record.c
View File

@ -2658,7 +2658,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */ } /* SProcRecordQueryVersion */
static void static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff) SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{ {
register char n; register char n;
@ -2669,11 +2669,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n); swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n); swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1]; pClientID = (XID *)&stuff[1];
if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) for (i = 0; i < stuff->nClients; i++, pClientID++)
{ {
swapl(pClientID, n); swapl(pClientID, n);
} }
if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
return Success;
} /* SwapCreateRegister */ } /* SwapCreateRegister */
@ -2681,11 +2687,13 @@ static int
SProcRecordCreateContext(ClientPtr client) SProcRecordCreateContext(ClientPtr client)
{ {
REQUEST(xRecordCreateContextReq); REQUEST(xRecordCreateContextReq);
int status;
register char n; register char n;
swaps(&stuff->length, n); swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
SwapCreateRegister((pointer)stuff); if ((status = SwapCreateRegister((pointer)stuff)) != Success)
return status;
return ProcRecordCreateContext(client); return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */ } /* SProcRecordCreateContext */
@ -2694,11 +2702,13 @@ static int
SProcRecordRegisterClients(ClientPtr client) SProcRecordRegisterClients(ClientPtr client)
{ {
REQUEST(xRecordRegisterClientsReq); REQUEST(xRecordRegisterClientsReq);
int status;
register char n; register char n;
swaps(&stuff->length, n); swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
SwapCreateRegister((pointer)stuff); if ((status = SwapCreateRegister((pointer)stuff)) != Success)
return status;
return ProcRecordRegisterClients(client); return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */ } /* SProcRecordRegisterClients */