aboutsummaryrefslogtreecommitdiff
path: root/nxcomp/Transport.cpp
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-26 10:54:41 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commitfde1375e373137ac52d0530b819bf9df64ab14c1 (patch)
tree2a07b3ab946c2e2aa9799deea62dfefac5aea092 /nxcomp/Transport.cpp
parent985ca320f841bd9a3efc484f92436b3d65ec1b31 (diff)
downloadnx-libs-fde1375e373137ac52d0530b819bf9df64ab14c1.tar.gz
nx-libs-fde1375e373137ac52d0530b819bf9df64ab14c1.tar.bz2
nx-libs-fde1375e373137ac52d0530b819bf9df64ab14c1.zip
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xi/chgdctl.c Xi/chgfctl.c Xi/xiallowev.c Xi/xichangecursor.c Xi/xichangehierarchy.c Xi/xigetclientpointer.c Xi/xigrabdev.c Xi/xipassivegrab.c Xi/xiproperty.c Xi/xiquerydevice.c Xi/xiquerypointer.c Xi/xiselectev.c Xi/xisetclientpointer.c Xi/xisetdevfocus.c Xi/xiwarppointer.c [RHEL5: Xi/xi* files are XI2 ]
Diffstat (limited to 'nxcomp/Transport.cpp')
0 files changed, 0 insertions, 0 deletions