blob: c75c0a8f4912ef6d3ad716466cfcd8e96f516938 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Tue, 9 Dec 2014 09:31:00 -0800
Subject: [PATCH 2/2] dix: GetHosts bounds check using wrong pointer value
[CVE-2014-8092 pt. 6]
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
os/access.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/access.c b/os/access.c
index f393c8d..28f2d32 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
--
2.1.0
|
