MFC: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)

author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:35:15 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:35:15 +0000
commit: 983c349848abd78759355a9264c011bbce254df0 (patch)
tree: 6ef59c66b717ebd0112583a7b0facd816543a05d /xserver/dix
parent: f45ab7df4422ed2519e6d3a553f59f3d7263c132 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/xserver/dix/dispatch.c b/xserver/dix/dispatch.c
index 2c201245a..0d6bd914e 100644
--- a/xserver/dix/dispatch.c
+++ b/xserver/dix/dispatch.c
@@ -3654,7 +3654,12 @@ ProcEstablishConnection(ClientPtr client)
     prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
     auth_proto = (char *) prefix + sz_xConnClientPrefix;
     auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
-    if ((prefix->majorVersion != X_PROTOCOL) ||
+
+    if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+	pad_to_int32(prefix->nbytesAuthProto) +
+	pad_to_int32(prefix->nbytesAuthString))
+        reason = "Bad length";
+    else if ((prefix->majorVersion != X_PROTOCOL) ||
         (prefix->minorVersion != X_PROTOCOL_REVISION))
         reason = "Protocol version mismatch";
     else
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:35:15 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:35:15 +0000
commit	983c349848abd78759355a9264c011bbce254df0 (patch)
tree	6ef59c66b717ebd0112583a7b0facd816543a05d /xserver/dix
parent	f45ab7df4422ed2519e6d3a553f59f3d7263c132 (diff)