[PATCH:libFS 4/6] Avoid reading outside bounds when _FSReply receives an Error response

Alan Coopersmith alan.coopersmith at oracle.com
Fri Apr 12 20:58:45 PDT 2013

Upon receiving a response, _FSReply copies the first 8 bytes into *rep
and then looks at them to determine what type of response.   If it's an
error packet, it then converts to an error struct and reads the rest,
but it was copying 16 bytes out of *rep to begin with, due to sloppy
casting.   Since we immediately overwrite the second 8 bytes with the
data coming off the wire, this isn't horrible, but it really freaks out
static analysis and memory debugging tools.

Fixes parfait 1.1 warning:

Error: Buffer overrun
   Read Outside Array Bounds in STD C function: Read outside array bounds in call to llvm.memcpy.p0i8.p0i8.i64. Buffer ((char*)((union fsError*)rep)) of size ??? is read at an offset of 16
      size(((char*)((union fsError*)rep))) is 8, 16 is 16
        at line 751 of src/FSlibInt.c in function '_FSReply'.
        called at line 67 of src/FSSync.c in function 'FSSync' with rep = ((union fsReply*)&rep).

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
 src/FSlibInt.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/FSlibInt.c b/src/FSlibInt.c
index 0c24f89..96c5e62 100644
--- a/src/FSlibInt.c
+++ b/src/FSlibInt.c
@@ -748,7 +748,8 @@ _FSReply(
 		unsigned long serial;
 		long        err_data;
-		err = *(fsError *) rep;
+		/* copy in the part we already read off the wire */
+		memcpy(&err, rep, SIZEOF(fsReply));
 		/* read the rest of the error */
 		_FSRead(svr, (char *) &err + SIZEOF(fsReply),
 			(long) (SIZEOF(fsError) - SIZEOF(fsReply)));

More information about the xorg-devel mailing list