[PATCH wayland 2/2] connection: fix demarshal of invalid header

Simon Ser contact at emersion.fr
Tue Mar 12 23:11:03 UTC 2019


On Wednesday, March 6, 2019 12:58 PM, Pekka Paalanen <ppaalanen at gmail.com> wrote:
> From: Pekka Paalanen pekka.paalanen at collabora.com
> The size argument to wl_connection_demarshal() is taken from the message by the
> caller wl_client_connection_data(), therefore 'size' is untrusted data
> controllable by a Wayland client. The size should always be at least the header
> size, otherwise the header is invalid.
> If the size is smaller than header size, it leads to reading past the end of
> allocated memory. Furthermore if size is zero, wl_closure_init() changes
> behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
> memory.
> Check that 'size' fits at least the header. The space for arguments is already
> properly checked.
> This makes the request_bogus_size test free of errors under Valgrind.
> Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52
> Signed-off-by: Pekka Paalanen pekka.paalanen at collabora.com

Both patches look good to me. I've also tested them with -fsanitize=address.

Take this with a grain of salt since I'm not very familiar with libwayland's
demarshalling code, but this is:

Reviewed-by: Simon Ser <contact at emersion.fr>

More information about the wayland-devel mailing list