| CVE: CVE-2022-3550 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| |
| From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 |
| From: Peter Hutterer <peter.hutterer@who-t.net> |
| Date: Tue, 5 Jul 2022 12:06:20 +1000 |
| Subject: [PATCH] xkb: proof GetCountedString against request length attacks |
| |
| GetCountedString did a check for the whole string to be within the |
| request buffer but not for the initial 2 bytes that contain the length |
| field. A swapped client could send a malformed request to trigger a |
| swaps() on those bytes, writing into random memory. |
| |
| Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| --- |
| xkb/xkb.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| diff --git a/xkb/xkb.c b/xkb/xkb.c |
| index f42f59ef3..1841cff26 100644 |
| --- a/xkb/xkb.c |
| +++ b/xkb/xkb.c |
| @@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) |
| CARD16 len; |
| |
| wire = *wire_inout; |
| + |
| + if (client->req_len < |
| + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) |
| + return BadValue; |
| + |
| len = *(CARD16 *) wire; |
| if (client->swapped) { |
| swaps(&len); |
| -- |
| 2.34.1 |
| |