aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-17 18:54:03 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:31 +0100
commit37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 (patch)
treeadec2cf7d851d672c5376b0e6fa8bcbbb7391f7e
parentb65259bf3bcca15b5069cb7a6c06f95a40f79813 (diff)
downloadnx-libs-37e7fb1f64b29ef06ec4d69ab0b7afa99c613383.tar.gz
nx-libs-37e7fb1f64b29ef06ec4d69ab0b7afa99c613383.tar.bz2
nx-libs-37e7fb1f64b29ef06ec4d69ab0b7afa99c613383.zip
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/rpcauth.c
-rw-r--r--nx-X11/programs/Xserver/os/rpcauth.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c
index 3c5cb5946..a12931eb0 100644
--- a/nx-X11/programs/Xserver/os/rpcauth.c
+++ b/nx-X11/programs/Xserver/os/rpcauth.c
@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len)
SVCXPRT xprt;
temp_inmsg = (char *) xalloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *)&msg, 0, sizeof(msg));