Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001 |
2 | From: Keith Packard <keithp@keithp.com> | |
3 | Date: Tue, 9 Dec 2014 09:31:00 -0800 | |
4 | Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 | |
5 | pt. 6] | |
6 | ||
7 | GetHosts saves the pointer to allocated memory in *data, and then | |
8 | wants to bounds-check writes to that region, but was mistakenly using | |
9 | a bare 'data' instead of '*data'. Also, data is declared as void **, | |
10 | so we need a cast to turn it into a byte pointer so we can actually do | |
11 | pointer comparisons. | |
12 | ||
13 | Signed-off-by: Keith Packard <keithp@keithp.com> | |
14 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
15 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
16 | ||
4db25562 JB |
17 | --- a/os/access.c |
18 | +++ b/os/access.c | |
19 | @@ -1335,7 +1335,7 @@ GetHosts(pointer *data, int *pnHosts, in | |
7217e0ca ML |
20 | } |
21 | for (host = validhosts; host; host = host->next) { | |
22 | len = host->len; | |
23 | - if ((ptr + sizeof(xHostEntry) + len) > (data + n)) | |
24 | + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) | |
25 | break; | |
26 | ((xHostEntry *) ptr)->family = host->family; | |
27 | ((xHostEntry *) ptr)->length = len; |