diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2018-08-15 21:21:09 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2018-09-30 11:01:24 +0200 |
commit | d86106f2369ecf81155decaa360f9162c0c3cd53 (patch) | |
tree | 2512046300977b78ae380e56b5c703a5375c66d3 /doc/.gitignore | |
parent | 75ffafb4e04661fb890a9e8088b743cb077050a6 (diff) |
Fixed out ouf boundary accesses.
Out of boundary accesses can occur while processing messages. This
affects clients and the session server.
Generally, the code tries to prevent out of boundary accesses. It
initially "skips" over the memory areas by parsing supplied lengths.
Then, it checks if it skipped over the memory boundary. If not, then
data is actually read and memory allocated, etc.
The problem is that while initially skipping over the memory,
subsequent lengths are already parsed, i.e. accessed. This results in
out of boundary reads on hostile messages.
Lengths could also overflow on 32 bit systems, leading to out of
boundary writes if not enough bytes have been allocated.
Authentication is handled by libICE, which is not affected, because the
macros for skipping already take care about memory boundaries.
Therefore, this flaw can only be used by authenticated clients or by
hostile servers (which could simply accept every MIT cookie). Most
session managers only use Unix sockets, so in many cases it takes a
local authenticated user.
In order to fix this, I decided to move the macros from SMlibint.h to
its only callers in sm_process.c, turning them into functions for much
easier error handling and readability.
Instead of skipping over the memory, validation happens during actual
read and memory allocation operations, as it's rather unlikely to
encounter hostile code anyway, i.e. my code has more error cleanup
handling in it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'doc/.gitignore')
0 files changed, 0 insertions, 0 deletions