[PATCH] Xtranssock.c: avoid buffer overrun in SocketReopen
Alan Coopersmith
alan.coopersmith at oracle.com
Wed Dec 14 20:45:39 PST 2011
On 12/11/11 16:30, Robert Bragg wrote:
> This function was constructing an address from a port string allocating
> a buffer according to the size of the string but then later copying
> the address according to sizeof(struct sockaddr).
>
> This patch ensures that we allocate a struct sockaddr buffer with enough
> space for the port string to be copied into sa_data[] and uses that
> combined length to determine how much should be copied at the end of the
> function.
>
> This fixes a crash when using xwayland which uses ListenOnOpenFD() that
> will call _XSERVTransReopenCOTSServer() with a short port string like
> ":1".
>
> Signed-off-by: Robert Bragg<robert at linux.intel.com>
Looks good to me - especially cleaning up the prior assumptions that the
address family & length fields (if present) were always exactly 2 bytes
long (which was probably true of the original BSD implementation, but
not necessarily of every single implementation).
Pushed to git master with a:
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
To ssh://git.freedesktop.org/git/xorg/lib/libxtrans
a04a45c..6086f6c master -> master
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
More information about the xorg-devel
mailing list