summaryrefslogtreecommitdiff
path: root/xhost.c
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2018-07-04 16:20:06 +0200
committerMatthieu Herrb <matthieu@herrb.eu>2018-07-16 22:22:20 +0200
commit0c3627bc7dac395c6af8bd1fb747ef3556e95fb4 (patch)
treef3f24ae23cc2d15fcfaa289c942e6d35c908a54b /xhost.c
parent28015d91e284ee4b797a6e99ec16d53147c0ddb6 (diff)
Prevent OOB access on illegal server response.
While parsing Xorg responses it is possible to trigger an out of boundary read if the response does not contain enough bytes. In case of IPv4, the padding normally prevents this, but IPv6 addresses can trigger an out of boundary read. It takes a hostile xorg-server to reproduce this issue. If os/access.c is adjusted to always use a length of 1, it is possible to reproduce it and make it visible with an ASAN-compiled xhost. Reading past the memory boundary could reveal sensitive information to external DNS servers, because a lookup will be performed. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'xhost.c')
-rw-r--r--xhost.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/xhost.c b/xhost.c
index cd25366..7bea7bc 100644
--- a/xhost.c
+++ b/xhost.c
@@ -682,6 +682,8 @@ get_hostname(XHostAddress *ha)
#endif
sin->sin_family = AF_INET;
sin->sin_port = 0;
+ if (sizeof(sin->sin_addr) > ha->length)
+ return "";
memcpy(&sin->sin_addr, ha->address, sizeof(sin->sin_addr));
saddrlen = sizeof(struct sockaddr_in);
} else {
@@ -691,6 +693,8 @@ get_hostname(XHostAddress *ha)
#endif
sin6->sin6_family = AF_INET6;
sin6->sin6_port = 0;
+ if (sizeof(sin6->sin6_addr) > ha->length)
+ return "";
memcpy(&sin6->sin6_addr, ha->address, sizeof(sin6->sin6_addr));
saddrlen = sizeof(struct sockaddr_in6);
}