aboutsummaryrefslogtreecommitdiff
path: root/nxcomp/GetPropertyReply.h
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-22 23:12:04 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commit985ca320f841bd9a3efc484f92436b3d65ec1b31 (patch)
tree64ec53aa1272c0888b3b19f3efaae8e4471bd3f0 /nxcomp/GetPropertyReply.h
parent82d7279ebfa04f319e68145b3adbf65716e59584 (diff)
downloadnx-libs-985ca320f841bd9a3efc484f92436b3d65ec1b31.tar.gz
nx-libs-985ca320f841bd9a3efc484f92436b3d65ec1b31.tar.bz2
nx-libs-985ca320f841bd9a3efc484f92436b3d65ec1b31.zip
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read from a buffer. The length is never validated, which can lead to out of bound reads, and possibly returning the data read from out of bounds to the misbehaving client via an X Error packet. SProcDbeSwapBuffers() swaps data (for correct endianness) before handing it off to the real proc. While doing the swapping, the length field is not validated, which can cause memory corruption. v2: reorder checks to avoid compilers optimizing out checks for overflow that happen after we'd already have done the overflowing multiplications. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dbe/dbe.c
Diffstat (limited to 'nxcomp/GetPropertyReply.h')
0 files changed, 0 insertions, 0 deletions