[PATCH wayland] connection: Don't write past the end of the connection buffer
Jason Ekstrand
jason at jlekstrand.net
Thu Apr 17 12:46:20 PDT 2014
On Apr 17, 2014 10:37 AM, "Hardening" <rdp.effort at gmail.com> wrote:
>
> Le 17/04/2014 17:20, Ander Conselvan de Oliveira a écrit :
>
>> From: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira at intel.com>
>>
>> If a message was too big to fit in the connection buffer, the code
>> in wl_buffer_put would just write past the end of it.
>>
>> I haven't seen any real world use case that would trigger this bug, but
>> it was possible to trigger it by sending a long enough string to the
>> wl_data_source.offer request.
I don't think this issue is one that can be client-triggered since we check
everything pretty well when it comes in. (I haven't done a full audit in a
while.) It should only be an issue if the client or server sends the other
a string or array that's too long. Previously it would cause the sender to
crash but throwing an error is probably better.
>>
>> https://bugs.freedesktop.org/show_bug.cgi?id=69267
>
>
> Perhaps this should be marked as a security issue. If a wayland client
can control an answer generated by the server, it would be able to overflow
the buffer and corrupt the compositor's memory. I haven't check if it's not
feasible.
>
> Regards.
>
> --
> David FORT
> website: http://www.hardening-consulting.com/
>
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20140417/3b185818/attachment.html>
More information about the wayland-devel
mailing list