diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-17 18:54:03 -0800 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
| commit | 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 (patch) | |
| tree | adec2cf7d851d672c5376b0e6fa8bcbbb7391f7e /nx-X11/programs/Xserver/os | |
| parent | b65259bf3bcca15b5069cb7a6c06f95a40f79813 (diff) | |
| download | nx-libs-37e7fb1f64b29ef06ec4d69ab0b7afa99c613383.tar.gz nx-libs-37e7fb1f64b29ef06ec4d69ab0b7afa99c613383.tar.bz2 nx-libs-37e7fb1f64b29ef06ec4d69ab0b7afa99c613383.zip | |
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/rpcauth.c
Diffstat (limited to 'nx-X11/programs/Xserver/os')
| -rw-r--r-- | nx-X11/programs/Xserver/os/rpcauth.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c index 3c5cb5946..a12931eb0 100644 --- a/nx-X11/programs/Xserver/os/rpcauth.c +++ b/nx-X11/programs/Xserver/os/rpcauth.c @@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len) SVCXPRT xprt; temp_inmsg = (char *) xalloc(len); + if (temp_inmsg == NULL) { + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ + return NULL; + } memmove(temp_inmsg, inmsg, len); memset((char *)&msg, 0, sizeof(msg)); |