MFC: os: Make sure big requests have sufficient length.

A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer.
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:17:41 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:17:41 +0000
commit: b029c472bc655a08ca6e0ef2184950f44d2f7aca (patch)
tree: efb962d4bad196ec97b7e1d1169839bc86b741a4 /xserver/os
parent: c09e35b38140cbbeb81b58307a51a9280253d089 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/xserver/os/io.c b/xserver/os/io.c
index 96a243d8c..bc26da7e5 100644
--- a/xserver/os/io.c
+++ b/xserver/os/io.c
@@ -480,6 +480,11 @@ ReadRequestFromClient(ClientPtr client)
         if (++timesThisConnection >= MAX_TIMES_PER)
             YieldControl();
     if (move_header) {
+        if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+            YieldControlDeath();
+            return -1;
+        }
+
         request = (xReq *) oci->bufptr;
         oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
         *(xReq *) oci->bufptr = *request;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:17:41 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:17:41 +0000
commit	b029c472bc655a08ca6e0ef2184950f44d2f7aca (patch)
tree	efb962d4bad196ec97b7e1d1169839bc86b741a4 /xserver/os
parent	c09e35b38140cbbeb81b58307a51a9280253d089 (diff)