diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-06 23:30:14 -0800 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | d4c76981f7fddb364166464c571ed8d3de3086cd (patch) | |
tree | 4e3d6c0465164e02a944e791c09a34dc34c6c58c /nx-X11/programs/Xserver/dix | |
parent | c1225fe6451d7a5f3741ce0fff8f54e38e0a14da (diff) | |
download | nx-libs-d4c76981f7fddb364166464c571ed8d3de3086cd.tar.gz nx-libs-d4c76981f7fddb364166464c571ed8d3de3086cd.tar.bz2 nx-libs-d4c76981f7fddb364166464c571ed8d3de3086cd.zip |
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/access.c
Diffstat (limited to 'nx-X11/programs/Xserver/dix')
0 files changed, 0 insertions, 0 deletions