|
 |
0fd959 |
From a6eac4b0e8c615176ad43dccc353e667023e2d6e Mon Sep 17 00:00:00 2001
|
|
|
0fd959 |
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
0fd959 |
Date: Fri, 17 Jan 2014 18:54:03 -0800
|
|
|
0fd959 |
Subject: [PATCH 01/33] unchecked malloc may allow unauthed client to crash
|
|
|
0fd959 |
Xserver [CVE-2014-8091]
|
|
|
0fd959 |
|
|
|
0fd959 |
authdes_ezdecode() calls malloc() using a length provided by the
|
|
|
0fd959 |
connection handshake sent by a newly connected client in order
|
|
|
0fd959 |
to authenticate to the server, so should be treated as untrusted.
|
|
|
0fd959 |
|
|
|
0fd959 |
It didn't check if malloc() failed before writing to the newly
|
|
|
0fd959 |
allocated buffer, so could lead to a server crash if the server
|
|
|
0fd959 |
fails to allocate memory (up to UINT16_MAX bytes, since the len
|
|
|
0fd959 |
field is a CARD16 in the X protocol).
|
|
|
0fd959 |
|
|
|
0fd959 |
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
|
|
|
0fd959 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
0fd959 |
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
0fd959 |
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
|
|
|
0fd959 |
---
|
|
|
0fd959 |
os/rpcauth.c | 4 ++++
|
|
|
0fd959 |
1 file changed, 4 insertions(+)
|
|
|
0fd959 |
|
|
|
0fd959 |
diff --git a/os/rpcauth.c b/os/rpcauth.c
|
|
|
0fd959 |
index bd219ac..c5bf787 100644
|
|
|
0fd959 |
--- a/os/rpcauth.c
|
|
|
0fd959 |
+++ b/os/rpcauth.c
|
|
|
0fd959 |
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
|
|
|
0fd959 |
SVCXPRT xprt;
|
|
|
0fd959 |
|
|
|
0fd959 |
temp_inmsg = malloc(len);
|
|
|
0fd959 |
+ if (temp_inmsg == NULL) {
|
|
|
0fd959 |
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
|
|
|
0fd959 |
+ return NULL;
|
|
|
0fd959 |
+ }
|
|
|
0fd959 |
memmove(temp_inmsg, inmsg, len);
|
|
|
0fd959 |
|
|
|
0fd959 |
memset((char *) &msg, 0, sizeof(msg));
|
|
|
0fd959 |
--
|
|
|
0fd959 |
1.9.3
|
|
|
0fd959 |
|