| Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame^] | 1 | CVE: CVE-2022-3550 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 |
| 6 | From: Peter Hutterer <peter.hutterer@who-t.net> |
| 7 | Date: Tue, 5 Jul 2022 12:06:20 +1000 |
| 8 | Subject: [PATCH] xkb: proof GetCountedString against request length attacks |
| 9 | |
| 10 | GetCountedString did a check for the whole string to be within the |
| 11 | request buffer but not for the initial 2 bytes that contain the length |
| 12 | field. A swapped client could send a malformed request to trigger a |
| 13 | swaps() on those bytes, writing into random memory. |
| 14 | |
| 15 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 16 | --- |
| 17 | xkb/xkb.c | 5 +++++ |
| 18 | 1 file changed, 5 insertions(+) |
| 19 | |
| 20 | diff --git a/xkb/xkb.c b/xkb/xkb.c |
| 21 | index f42f59ef3..1841cff26 100644 |
| 22 | --- a/xkb/xkb.c |
| 23 | +++ b/xkb/xkb.c |
| 24 | @@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) |
| 25 | CARD16 len; |
| 26 | |
| 27 | wire = *wire_inout; |
| 28 | + |
| 29 | + if (client->req_len < |
| 30 | + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) |
| 31 | + return BadValue; |
| 32 | + |
| 33 | len = *(CARD16 *) wire; |
| 34 | if (client->swapped) { |
| 35 | swaps(&len); |
| 36 | -- |
| 37 | 2.34.1 |
| 38 | |