Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From d2f5bd2c3e3cbe4778749d457550355d344ca62a Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Fri, 17 Jan 2014 18:54:03 -0800 | |
4 | Subject: [PATCH 01/33] unchecked malloc may allow unauthed client to crash | |
5 | Xserver [CVE-2014-8091] | |
6 | ||
7 | authdes_ezdecode() calls malloc() using a length provided by the | |
8 | connection handshake sent by a newly connected client in order | |
9 | to authenticate to the server, so should be treated as untrusted. | |
10 | ||
11 | It didn't check if malloc() failed before writing to the newly | |
12 | allocated buffer, so could lead to a server crash if the server | |
13 | fails to allocate memory (up to UINT16_MAX bytes, since the len | |
14 | field is a CARD16 in the X protocol). | |
15 | ||
16 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
17 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
18 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
19 | --- | |
20 | os/rpcauth.c | 4 ++++ | |
21 | 1 file changed, 4 insertions(+) | |
22 | ||
7217e0ca ML |
23 | --- a/os/rpcauth.c |
24 | +++ b/os/rpcauth.c | |
4db25562 | 25 | @@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int |
7217e0ca ML |
26 | SVCXPRT xprt; |
27 | ||
28 | temp_inmsg = malloc(len); | |
29 | + if (temp_inmsg == NULL) { | |
30 | + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ | |
31 | + return NULL; | |
32 | + } | |
33 | memmove(temp_inmsg, inmsg, len); | |
34 | ||
35 | memset((char *) &msg, 0, sizeof(msg)); |