Age | Commit message (Collapse) | Author |
|
Out of boundary accesses can occur while processing messages. This
affects clients and the session server.
Generally, the code tries to prevent out of boundary accesses. It
initially "skips" over the memory areas by parsing supplied lengths.
Then, it checks if it skipped over the memory boundary. If not, then
data is actually read and memory allocated, etc.
The problem is that while initially skipping over the memory,
subsequent lengths are already parsed, i.e. accessed. This results in
out of boundary reads on hostile messages.
Lengths could also overflow on 32 bit systems, leading to out of
boundary writes if not enough bytes have been allocated.
Authentication is handled by libICE, which is not affected, because the
macros for skipping already take care about memory boundaries.
Therefore, this flaw can only be used by authenticated clients or by
hostile servers (which could simply accept every MIT cookie). Most
session managers only use Unix sockets, so in many cases it takes a
local authenticated user.
In order to fix this, I decided to move the macros from SMlibint.h to
its only callers in sm_process.c, turning them into functions for much
easier error handling and readability.
Instead of skipping over the memory, validation happens during actual
read and memory allocation operations, as it's rather unlikely to
encounter hostile code anyway, i.e. my code has more error cleanup
handling in it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Even though this use was safe, some linkers produce a warning
when strcpy() is used, and this is the only use in libSM.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
It should be char *.
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: David Macek <david.macek.0@gmail.com>
|
|
File exists as a placeholder in case someone someday decides to add
additional auth methods on top of what libICE provides, but it's been
two decades and no one has, so stop spending time compiling & linking
for now.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Clears gcc warning of:
sm_client.c: In function 'SmcOpenConnection':
sm_client.c:199:13: warning: assignment discards 'const' qualifier from
pointer target type [enabled by default]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Has never been converted to build in modular builds, so has been unusable
since X11R7.0 release in 2005. All known platforms with TLI/XTI support
that X11R7 & later releases run on also have (and mostly prefer) BSD
socket support for their networking API.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Needed to fix gcc -Wwrite-strings arguments in callers such as xsm.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
With modern compilers and headers, they cause more problems than they
solve and just hide real issues.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Takes care of the other block of code confusingly sharing indent levels
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Gets rid of one of the multiple levels of bracketing that confusingly
shared the same indent level.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Both variables were locals in different scope levels of the same
function, leading to both confusing code and gcc -Wshadow warnings:
sm_genid.c: In function 'SmsGenerateClientID':
sm_genid.c:160:10: warning: declaration of 'temp' shadows a previous local
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Cloos <cloos@jhcloos.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Simplify configuration by using a single PKG_CHECK_MODULES statement.
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Fix apparent typo in SmsGenerateClientID which always leaves the
first byte of allocated id string uninitialized. If that byte
happens to be 0, SmsGenerateClientId appears to return an empty
string to the caller, instead of proper GUID in text form.
Reviewed-by: James CLoos <cloos@jhcloos.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
This reverts commit 58aa8879e10b12e478ab14b90afd1001b4abd316.
Fixes gnome-session crashes due to double frees, as reported in
http://bugs.freedesktop.org/show_bug.cgi?id=24964
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
|
|
If the system provide the uuid_create function assume building on FreeBSD
or another OS with a compatible uuid interface. If that's the case, ignore
libuuid and just use the system functions without extra deps.
|
|
|
|
Patch from http://bugs.freedesktop.org/show_bug.cgi?id=17968 adapted
to current sources.
This corrects a potential (hypothetical) segmentation fault.
|
|
|
|
|
|
gethostbyname() will hit the network, which leads to DNS timeouts, which
leads to fail. Just use UUIDs.
|
|
|
|
This reverts commit 57ea148fdbf047a012b361acdc7954e70679dad3.
|
|
|
|
|
|
|
|
This reduces the size of the DSO by almost 4K and gets rid of 255
relocations on load.
|
|
|
|
freeaddrinfo() in error handling return (Peter Breitenlohner)
|
|
in errorStringRet, but were just calling strncpy and not making sure
strings were NULL terminated if errorLength wasn't long enough.
(Noticed while evaluating Coverity ids 196 & 201.)
|
|
|
|
|
|
API.
|
|
|
|
Copy Xtrans.h to exports/include/X11/Xtrans only
|
|
- Add libSM to symlink.sh
- Add SM build system
|
|
|