summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff31
1 files changed, 31 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff
new file mode 100644
index 000000000..9caf31247
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff
@@ -0,0 +1,31 @@
+From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:15:46 -0500
+Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 8b371b6..176c7a0 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client)
+ prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
+ auth_proto = (char *) prefix + sz_xConnClientPrefix;
+ auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
+- if ((prefix->majorVersion != X_PROTOCOL) ||
++
++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
++ pad_to_int32(prefix->nbytesAuthProto) +
++ pad_to_int32(prefix->nbytesAuthString))
++ reason = "Bad length";
++ else if ((prefix->majorVersion != X_PROTOCOL) ||
+ (prefix->minorVersion != X_PROTOCOL_REVISION))
+ reason = "Protocol version mismatch";
+ else
+--
+cgit v0.10.2
+
+