summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2016-11-22 20:13:29 +0100
committerMatthieu Herrb <matthieu@herrb.eu>2016-12-09 21:38:29 +0100
commitac4bb20e74e064b219de70e9b54516a921fdb7c3 (patch)
treeebf804665031992df7a922a6306302a27b2577db
parentb1720edc9b9f3e7a05caa3fcd81761e5818ea255 (diff)
Fix use after free on subsequent calls
The function IceAuthFileName is vulnerable to a use after free. The flaw can be triggered by calling the function three times: - First call succeeds and stores the path in buf, a dynamically allocated buffer with size bsize. - Second call fails due to out of memory. It frees buf, but keeps the old size in bsize. - Third call only checks if bsize is large enough. Then it uses buf without allocating it again -- the use after free happens. In order to exploit this, an attacker must change environment variables between each call, namely ICEAUTHORITY or HOME. It also takes subsequent calls. Due to these limitations, I don't consider this to be of high priority. Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
-rw-r--r--src/authutil.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/authutil.c b/src/authutil.c
index 04c0791..ca0504a 100644
--- a/src/authutil.c
+++ b/src/authutil.c
@@ -114,8 +114,10 @@ IceAuthFileName (void)
if (buf)
free (buf);
buf = malloc (size);
- if (!buf)
+ if (!buf) {
+ bsize = 0;
return (NULL);
+ }
bsize = size;
}