From ac4bb20e74e064b219de70e9b54516a921fdb7c3 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Tue, 22 Nov 2016 20:13:29 +0100 Subject: Fix use after free on subsequent calls The function IceAuthFileName is vulnerable to a use after free. The flaw can be triggered by calling the function three times: - First call succeeds and stores the path in buf, a dynamically allocated buffer with size bsize. - Second call fails due to out of memory. It frees buf, but keeps the old size in bsize. - Third call only checks if bsize is large enough. Then it uses buf without allocating it again -- the use after free happens. In order to exploit this, an attacker must change environment variables between each call, namely ICEAUTHORITY or HOME. It also takes subsequent calls. Due to these limitations, I don't consider this to be of high priority. Reviewed-by: Matthieu Herrb --- src/authutil.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/authutil.c b/src/authutil.c index 04c0791..ca0504a 100644 --- a/src/authutil.c +++ b/src/authutil.c @@ -114,8 +114,10 @@ IceAuthFileName (void) if (buf) free (buf); buf = malloc (size); - if (!buf) + if (!buf) { + bsize = 0; return (NULL); + } bsize = size; } -- cgit v1.2.3