fserve: Fix a buffer read overrun in _fs_client_access

https://bugs.freedesktop.org/show_bug.cgi?id=83224

Found by clang's Address Sanitizer

	crac.num_auths = set_font_authorizations(&authorizations, &authlen,
						 client);
	/* Work around bug in xfs versions up through modular release 1.0.8
	   which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
	if (crac.num_auths == 0) {
	    authorizations = padding;
	    authlen = 4;
	} else {
	    authlen = (authlen + 3) & ~0x3;
	}
	crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
	crac.acid = cur->acid;
	_fs_add_req_log(conn, FS_CreateAC);
	_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
	_fs_write(conn, authorizations, authlen);

In the case in the report, set_font_authorizations setup authorizations as a
34 byte buffer (and authlen set to 34 as one would expect). The following
block changed authlen to 36 to make it 4byte aligned and the final _fs_write()
caused us to read 36 bytes from this 34 byte buffer.

This changes the incorrect size increase to instead use _fs_write_pad which
takes care of the padding for us.

Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561)

1 files changed, 1 insertions, 3 deletions

diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index bbaa8bf..4fb5551 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -2850,14 +2850,12 @@ _fs_client_access (FSFpePtr conn, pointer client, Bool sync)
 	if (crac.num_auths == 0) {
 	    authorizations = padding;
 	    authlen = 4;
-	} else {
-	    authlen = (authlen + 3) & ~0x3;
 	}
 	crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
 	crac.acid = cur->acid;
 	_fs_add_req_log(conn, FS_CreateAC);
 	_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
-	_fs_write(conn, authorizations, authlen);
+	_fs_write_pad(conn, authorizations, authlen);
 	/* ignore reply; we don't even care about it */
 	conn->curacid = 0;
 	cur->auth_generation = client_auth_generation(client);