[PATCH 3/3] Xext: "xauth generate" with large timeout crashes Xorg #27134

Bryce Harrington bryce at canonical.com
Fri Feb 8 15:56:03 PST 2013


Running “xauth generate $DISPLAY . timeout 99999999” crashes the
xserver.  This patch checks the maximum value of the timeout and bails
if requested time is too large.

This patch was authored and proposed to the mailing list in 2010 by
Arvind Umrao.  There was some discussion but no resolution, and the
patch was not picked up.  We have carried the patch in Ubuntu since Jun
2010 as it was confirmed to fix the reported issue.

ref: http://lists.x.org/archives/xorg-devel/2010-April/006992.html
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=27134

Signed-off-by: Bryce Harrington <bryce at canonical.com>
---
 Xext/security.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Xext/security.c b/Xext/security.c
index 6cc9aa0..97e7ef3 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -260,9 +260,9 @@ SecurityComputeAuthorizationTimeout(SecurityAuthorizationPtr pAuth,
     /* maxSecs is the number of full seconds that can be expressed in
      * 32 bits worth of milliseconds
      */
-    CARD32 maxSecs = (CARD32) (~0) / (CARD32) MILLI_PER_SECOND;
+    CARD32 maxSecs = (CARD32) (MAXINT) / (CARD32) MILLI_PER_SECOND;
 
-    if (seconds > maxSecs) {    /* only come here if we want to wait more than 49 days */
+    if (seconds > maxSecs) {    /* only come here if we want to wait more than 24 days */
         pAuth->secondsRemaining = seconds - maxSecs;
         return maxSecs * MILLI_PER_SECOND;
     }
@@ -296,8 +296,6 @@ SecurityAuthorizationExpired(OsTimerPtr timer, CARD32 time, pointer pval)
 {
     SecurityAuthorizationPtr pAuth = (SecurityAuthorizationPtr) pval;
 
-    assert(pAuth->timer == timer);
-
     if (pAuth->secondsRemaining) {
         return SecurityComputeAuthorizationTimeout(pAuth,
                                                    pAuth->secondsRemaining);
-- 
1.7.9.5



More information about the xorg-devel mailing list