diff options
author | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2016-05-30 00:46:21 -0700 |
---|---|---|
committer | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2016-05-30 02:10:00 -0700 |
commit | 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561 (patch) | |
tree | ecf928e65faa9bf2108b407cd4228cba0594253e | |
parent | d967caa988eaabd9e84c82879e2f21bd33b952a7 (diff) |
fserve: Fix a buffer read overrun in _fs_client_access
https://bugs.freedesktop.org/show_bug.cgi?id=83224
Found by clang's Address Sanitizer
crac.num_auths = set_font_authorizations(&authorizations, &authlen,
client);
/* Work around bug in xfs versions up through modular release 1.0.8
which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
if (crac.num_auths == 0) {
authorizations = padding;
authlen = 4;
} else {
authlen = (authlen + 3) & ~0x3;
}
crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
crac.acid = cur->acid;
_fs_add_req_log(conn, FS_CreateAC);
_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
_fs_write(conn, authorizations, authlen);
In the case in the report, set_font_authorizations setup authorizations as a
34 byte buffer (and authlen set to 34 as one would expect). The following
block changed authlen to 36 to make it 4byte aligned and the final _fs_write()
caused us to read 36 bytes from this 34 byte buffer.
This changes the incorrect size increase to instead use _fs_write_pad which
takes care of the padding for us.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-rw-r--r-- | src/fc/fserve.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/fc/fserve.c b/src/fc/fserve.c index fb1941d..708fc35 100644 --- a/src/fc/fserve.c +++ b/src/fc/fserve.c @@ -2856,14 +2856,12 @@ _fs_client_access (FSFpePtr conn, pointer client, Bool sync) if (crac.num_auths == 0) { authorizations = padding; authlen = 4; - } else { - authlen = (authlen + 3) & ~0x3; } crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; crac.acid = cur->acid; _fs_add_req_log(conn, FS_CreateAC); _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); - _fs_write(conn, authorizations, authlen); + _fs_write_pad(conn, authorizations, authlen); /* ignore reply; we don't even care about it */ conn->curacid = 0; cur->auth_generation = client_auth_generation(client); |