Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 7d4f361a216718fc7333ab805dafdb9e5c85c180 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Wed, 22 Jan 2014 23:44:46 -0800 | |
4 | Subject: [PATCH 05/33] dix: integer overflow in REQUEST_FIXED_SIZE() | |
5 | [CVE-2014-8092 4/4] | |
6 | ||
7 | Force use of 64-bit integers when evaluating data provided by clients | |
8 | in 32-bit fields which can overflow when added or multiplied during | |
9 | checks. | |
10 | ||
11 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
14 | --- | |
15 | include/dix.h | 3 ++- | |
16 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
17 | ||
7217e0ca ML |
18 | --- a/include/dix.h |
19 | +++ b/include/dix.h | |
20 | @@ -76,7 +76,8 @@ SOFTWARE. | |
21 | ||
22 | #define REQUEST_FIXED_SIZE(req, n)\ | |
23 | if (((sizeof(req) >> 2) > client->req_len) || \ | |
24 | - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ | |
25 | + ((n >> 2) >= client->req_len) || \ | |
26 | + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ | |
27 | return(BadLength) | |
28 | ||
29 | #define LEGAL_NEW_RESOURCE(id,client)\ |