394dd6cf99
Resolves: https://issues.redhat.com/browse/RHEL-97278 Resolves: https://issues.redhat.com/browse/RHEL-97299 Resolves: https://issues.redhat.com/browse/RHEL-97374 Resolves: https://issues.redhat.com/browse/RHEL-97417 Resolves: https://issues.redhat.com/browse/RHEL-97249
63 lines
2.2 KiB
Diff
63 lines
2.2 KiB
Diff
From acc5a83e0d813403fa0377d9ed405c3ca2f9a39d Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 28 Apr 2025 11:47:15 +0200
|
|
Subject: [PATCH xserver 5/6] record: Check for overflow in
|
|
RecordSanityCheckRegisterClients()
|
|
|
|
The RecordSanityCheckRegisterClients() checks for the request length,
|
|
but does not check for integer overflow.
|
|
|
|
A client might send a very large value for either the number of clients
|
|
or the number of protocol ranges that will cause an integer overflow in
|
|
the request length computation, defeating the check for request length.
|
|
|
|
To avoid the issue, explicitly check the number of clients against the
|
|
limit of clients (which is much lower than an maximum integer value) and
|
|
the number of protocol ranges (multiplied by the record length) do not
|
|
exceed the maximum integer value.
|
|
|
|
This way, we ensure that the final computation for the request length
|
|
will not overflow the maximum integer limit.
|
|
|
|
CVE-2025-49179
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
(cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00)
|
|
---
|
|
record/record.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/record/record.c b/record/record.c
|
|
index e123867a7..018e53f81 100644
|
|
--- a/record/record.c
|
|
+++ b/record/record.c
|
|
@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
|
|
#include "inputstr.h"
|
|
#include "eventconvert.h"
|
|
#include "scrnintstr.h"
|
|
+#include "opaque.h"
|
|
|
|
#include <stdio.h>
|
|
#include <assert.h>
|
|
@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
|
|
int i;
|
|
XID recordingClient;
|
|
|
|
+ /* LimitClients is 2048 at max, way less that MAXINT */
|
|
+ if (stuff->nClients > LimitClients)
|
|
+ return BadValue;
|
|
+
|
|
+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
|
|
+ return BadValue;
|
|
+
|
|
if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
|
|
4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
|
|
return BadLength;
|
|
--
|
|
2.49.0
|
|
|