[PATCH] Xtranssock.c: avoid buffer overrun in SocketReopen

Alan Coopersmith alan.coopersmith at oracle.com
Wed Dec 14 20:45:39 PST 2011

On 12/11/11 16:30, Robert Bragg wrote:
> This function was constructing an address from a port string allocating
> a buffer according to the size of the string but then later copying
> the address according to sizeof(struct sockaddr).
> This patch ensures that we allocate a struct sockaddr buffer with enough
> space for the port string to be copied into sa_data[] and uses that
> combined length to determine how much should be copied at the end of the
> function.
> This fixes a crash when using xwayland which uses ListenOnOpenFD() that
> will call _XSERVTransReopenCOTSServer() with a short port string like
> ":1".
> Signed-off-by: Robert Bragg<robert at linux.intel.com>

Looks good to me - especially cleaning up the prior assumptions that the
address family & length fields (if present) were always exactly 2 bytes
long (which was probably true of the original BSD implementation, but
not necessarily of every single implementation).

Pushed to git master with a:
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>

To ssh://git.freedesktop.org/git/xorg/lib/libxtrans
    a04a45c..6086f6c  master -> master

	-Alan Coopersmith-        alan.coopersmith at oracle.com
	 Oracle Solaris Platform Engineering: X Window System

More information about the xorg-devel mailing list