diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2016-11-22 20:13:29 +0100 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2016-12-09 21:38:29 +0100 |
commit | ac4bb20e74e064b219de70e9b54516a921fdb7c3 (patch) | |
tree | ebf804665031992df7a922a6306302a27b2577db | |
parent | b1720edc9b9f3e7a05caa3fcd81761e5818ea255 (diff) |
Fix use after free on subsequent calls
The function IceAuthFileName is vulnerable to a use after free. The
flaw can be triggered by calling the function three times:
- First call succeeds and stores the path in buf, a dynamically
allocated buffer with size bsize.
- Second call fails due to out of memory. It frees buf, but keeps
the old size in bsize.
- Third call only checks if bsize is large enough. Then it uses
buf without allocating it again -- the use after free happens.
In order to exploit this, an attacker must change environment variables
between each call, namely ICEAUTHORITY or HOME. It also takes subsequent
calls. Due to these limitations, I don't consider this to be of high
priority.
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
-rw-r--r-- | src/authutil.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/authutil.c b/src/authutil.c index 04c0791..ca0504a 100644 --- a/src/authutil.c +++ b/src/authutil.c @@ -114,8 +114,10 @@ IceAuthFileName (void) if (buf) free (buf); buf = malloc (size); - if (!buf) + if (!buf) { + bsize = 0; return (NULL); + } bsize = size; } |