[PATCH wayland] connection: Don't write past the end of the connection buffer
Hardening
rdp.effort at gmail.com
Thu Apr 17 08:37:53 PDT 2014
Le 17/04/2014 17:20, Ander Conselvan de Oliveira a écrit :
> From: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira at intel.com>
>
> If a message was too big to fit in the connection buffer, the code
> in wl_buffer_put would just write past the end of it.
>
> I haven't seen any real world use case that would trigger this bug, but
> it was possible to trigger it by sending a long enough string to the
> wl_data_source.offer request.
>
> https://bugs.freedesktop.org/show_bug.cgi?id=69267
Perhaps this should be marked as a security issue. If a wayland client
can control an answer generated by the server, it would be able to
overflow the buffer and corrupt the compositor's memory. I haven't check
if it's not feasible.
Regards.
--
David FORT
website: http://www.hardening-consulting.com/
More information about the wayland-devel
mailing list