summaryrefslogtreecommitdiff
path: root/doc/.gitignore
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2018-08-15 21:21:09 +0200
committerMatthieu Herrb <matthieu@herrb.eu>2018-09-30 11:01:24 +0200
commitd86106f2369ecf81155decaa360f9162c0c3cd53 (patch)
tree2512046300977b78ae380e56b5c703a5375c66d3 /doc/.gitignore
parent75ffafb4e04661fb890a9e8088b743cb077050a6 (diff)
Fixed out ouf boundary accesses.
Out of boundary accesses can occur while processing messages. This affects clients and the session server. Generally, the code tries to prevent out of boundary accesses. It initially "skips" over the memory areas by parsing supplied lengths. Then, it checks if it skipped over the memory boundary. If not, then data is actually read and memory allocated, etc. The problem is that while initially skipping over the memory, subsequent lengths are already parsed, i.e. accessed. This results in out of boundary reads on hostile messages. Lengths could also overflow on 32 bit systems, leading to out of boundary writes if not enough bytes have been allocated. Authentication is handled by libICE, which is not affected, because the macros for skipping already take care about memory boundaries. Therefore, this flaw can only be used by authenticated clients or by hostile servers (which could simply accept every MIT cookie). Most session managers only use Unix sockets, so in many cases it takes a local authenticated user. In order to fix this, I decided to move the macros from SMlibint.h to its only callers in sm_process.c, turning them into functions for much easier error handling and readability. Instead of skipping over the memory, validation happens during actual read and memory allocation operations, as it's rather unlikely to encounter hostile code anyway, i.e. my code has more error cleanup handling in it. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'doc/.gitignore')
0 files changed, 0 insertions, 0 deletions