[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch

From d2f5bd2c3e3cbe4778749d457550355d344ca62a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 17 Jan 2014 18:54:03 -0800
Subject: [PATCH 01/33] unchecked malloc may allow unauthed client to crash
 Xserver [CVE-2014-8091]

authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.

It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 os/rpcauth.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/os/rpcauth.c
+++ b/os/rpcauth.c
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int
     SVCXPRT xprt;
 
     temp_inmsg = malloc(len);
+    if (temp_inmsg == NULL) {
+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+        return NULL;
+    }
     memmove(temp_inmsg, inmsg, len);
 
     memset((char *) &msg, 0, sizeof(msg));
Commit	Line	Data
7217e0ca ML	1	From d2f5bd2c3e3cbe4778749d457550355d344ca62a Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Fri, 17 Jan 2014 18:54:03 -0800
	4	Subject: [PATCH 01/33] unchecked malloc may allow unauthed client to crash
	5	Xserver [CVE-2014-8091]
	6
	7	authdes_ezdecode() calls malloc() using a length provided by the
	8	connection handshake sent by a newly connected client in order
	9	to authenticate to the server, so should be treated as untrusted.
	10
	11	It didn't check if malloc() failed before writing to the newly
	12	allocated buffer, so could lead to a server crash if the server
	13	fails to allocate memory (up to UINT16_MAX bytes, since the len
	14	field is a CARD16 in the X protocol).
	15
	16	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	17	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	18	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	19	---
	20	os/rpcauth.c \| 4 ++++
	21	1 file changed, 4 insertions(+)
	22
7217e0ca ML	23	--- a/os/rpcauth.c
7217e0ca ML	24	+++ b/os/rpcauth.c
4db25562	25	@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int
7217e0ca ML	26	SVCXPRT xprt;
	27
	28	temp_inmsg = malloc(len);
	29	+ if (temp_inmsg == NULL) {
	30	+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
	31	+ return NULL;
	32	+ }
	33	memmove(temp_inmsg, inmsg, len);
	34
	35	memset((char *) &msg, 0, sizeof(msg));