CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption.
This commit is contained in:
Matthieu Herrb
Matthieu Herrb
parent
656d5d9885
commit
95d162c438
|
|
@ -676,15 +676,19 @@ SProcSecurityGenerateAuthorization(
|
|||
char n;
|
||||
CARD32 *values;
|
||||
unsigned long nvalues;
|
||||
int values_offset;
|
||||
|
||||
swaps(&stuff->length, n);
|
||||
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
|
||||
swaps(&stuff->nbytesAuthProto, n);
|
||||
swaps(&stuff->nbytesAuthData, n);
|
||||
swapl(&stuff->valueMask, n);
|
||||
values = (CARD32 *)(&stuff[1]) +
|
||||
((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
|
||||
values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
|
||||
((stuff->nbytesAuthData + (unsigned)3) >> 2);
|
||||
if (values_offset >
|
||||
stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
|
||||
return BadLength;
|
||||
values = (CARD32 *)(&stuff[1]) + values_offset;
|
||||
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
|
||||
SwapLongs(values, nvalues);
|
||||
return ProcSecurityGenerateAuthorization(client);
|
||||
|
|
|
|||
|
|
@ -2658,7 +2658,7 @@ SProcRecordQueryVersion(ClientPtr client)
|
|||
} /* SProcRecordQueryVersion */
|
||||
|
||||
|
||||
static void
|
||||
static int
|
||||
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
||||
{
|
||||
register char n;
|
||||
|
|
@ -2669,11 +2669,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
|||
swapl(&stuff->nClients, n);
|
||||
swapl(&stuff->nRanges, n);
|
||||
pClientID = (XID *)&stuff[1];
|
||||
if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
|
||||
return BadLength;
|
||||
for (i = 0; i < stuff->nClients; i++, pClientID++)
|
||||
{
|
||||
swapl(pClientID, n);
|
||||
}
|
||||
if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
|
||||
- stuff->nClients)
|
||||
return BadLength;
|
||||
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
|
||||
return Success;
|
||||
} /* SwapCreateRegister */
|
||||
|
||||
|
||||
|
|
@ -2681,11 +2687,13 @@ static int
|
|||
SProcRecordCreateContext(ClientPtr client)
|
||||
{
|
||||
REQUEST(xRecordCreateContextReq);
|
||||
int status;
|
||||
register char n;
|
||||
|
||||
swaps(&stuff->length, n);
|
||||
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
||||
SwapCreateRegister((pointer)stuff);
|
||||
if ((status = SwapCreateRegister((pointer)stuff)) != Success)
|
||||
return status;
|
||||
return ProcRecordCreateContext(client);
|
||||
} /* SProcRecordCreateContext */
|
||||
|
||||
|
|
@ -2694,11 +2702,13 @@ static int
|
|||
SProcRecordRegisterClients(ClientPtr client)
|
||||
{
|
||||
REQUEST(xRecordRegisterClientsReq);
|
||||
int status;
|
||||
register char n;
|
||||
|
||||
swaps(&stuff->length, n);
|
||||
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
||||
SwapCreateRegister((pointer)stuff);
|
||||
if ((status = SwapCreateRegister((pointer)stuff)) != Success)
|
||||
return status;
|
||||
return ProcRecordRegisterClients(client);
|
||||
} /* SProcRecordRegisterClients */
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue