SwallowOS/xorg_lib_libxtrans
1
0
Fork 0
mirror of https://github.com/SwallowOS/xorg_lib_libxtrans synced 2025-11-04 13:56:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

Xtranssock.c: avoid buffer overrun in SocketReopen

Browse Source 
This function was constructing an address from a port string allocating
a buffer according to the size of the string but then later copying
the address according to sizeof(struct sockaddr).

This patch ensures that we allocate a struct sockaddr buffer with enough
space for the port string to be copied into sa_data[] and uses that
combined length to determine how much should be copied at the end of the
function.

This fixes a crash when using xwayland which uses ListenOnOpenFD() that
will call _XSERVTransReopenCOTSServer() with a short port string like
":1".

Signed-off-by: Robert Bragg <robert@linux.intel.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
Robert Bragg
2011-12-12 00:30:43 +00:00
committed by Alan Coopersmith
parent a04a45cb94
commit 6086f6c1d0
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
Xtranssock.c
View File

@@ -458,6 +458,7 @@ TRANS(SocketReopen) (int i _X_UNUSED, int type, int fd, char *port)
XtransConnInfo ciptr;
int portlen;
struct sockaddr *addr;
size_t addrlen;
prmsg (3,"SocketReopen(%d,%d,%s)\n", type, fd, port);
@@ -488,26 +489,27 @@ TRANS(SocketReopen) (int i _X_UNUSED, int type, int fd, char *port)
ciptr->fd = fd;
if ((addr = calloc (1, portlen + 2)) == NULL) {
addrlen = portlen + offsetof(struct sockaddr, sa_data);
if ((addr = calloc (1, addrlen)) == NULL) {
prmsg (1, "SocketReopen: malloc(addr) failed\n");
free (ciptr);
return NULL;
}
ciptr->addr = (char *) addr;
ciptr->addrlen = portlen + 2;
ciptr->addrlen = addrlen;
if ((ciptr->peeraddr = calloc (1, portlen + 2)) == NULL) {
if ((ciptr->peeraddr = calloc (1, addrlen)) == NULL) {
prmsg (1, "SocketReopen: malloc(portaddr) failed\n");
free (addr);
free (ciptr);
return NULL;
}
ciptr->peeraddrlen = portlen + 2;
ciptr->peeraddrlen = addrlen;
/* Initialize ciptr structure as if it were a normally-opened unix socket */
ciptr->flags = TRANS_LOCAL | TRANS_NOUNLINK;
#ifdef BSD44SOCKETS
addr->sa_len = portlen + 1;
addr->sa_len = addrlen;
#endif
addr->sa_family = AF_UNIX;
#ifdef HAS_STRLCPY
@@ -516,7 +518,7 @@ TRANS(SocketReopen) (int i _X_UNUSED, int type, int fd, char *port)
strncpy(addr->sa_data, port, portlen);
#endif
ciptr->family = AF_UNIX;
memcpy(ciptr->peeraddr, ciptr->addr, sizeof(struct sockaddr));
memcpy(ciptr->peeraddr, ciptr->addr, addrlen);
ciptr->port = rindex(addr->sa_data, ':');
if (ciptr->port == NULL) {
if (is_numeric(addr->sa_data)) {