Bugtraq mailing list archives
Re: xdm problems
From: matthieu () LAAS FR (Matthieu Herrb)
Date: Mon, 20 Apr 1998 18:12:16 +0200
Here's a patch at the source of the problem (a double free() while doing error recorevy in libXdmcp. It will also help if one finds another way to feed libXdmcp with incorrect data. Index: xc/lib/Xdmcp/DA16.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/DA16.c,v retrieving revision 1.1.1.1 retrieving revision 1.3 diff -u -r1.1.1.1 -r1.3 --- DA16.c 1997/09/05 08:59:52 1.1.1.1 +++ DA16.c 1998/04/17 11:30:08 1.3 @@ -37,7 +37,8 @@ XdmcpDisposeARRAY16 (array) ARRAY16Ptr array; { - Xfree (array->data); + if (array->data != 0) + Xfree (array->data); array->length = 0; array->data = 0; } Index: xc/lib/Xdmcp/DA32.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/DA32.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- DA32.c 1997/09/05 08:59:52 1.1.1.1 +++ DA32.c 1998/04/17 10:09:49 1.2 @@ -37,7 +37,8 @@ XdmcpDisposeARRAY32 (array) ARRAY32Ptr array; { - Xfree (array->data); + if (array->data != 0) + Xfree (array->data); array->length = 0; array->data = 0; } Index: xc/lib/Xdmcp/DA8.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/DA8.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- DA8.c 1997/09/05 08:59:52 1.1.1.1 +++ DA8.c 1998/04/17 10:09:51 1.2 @@ -37,7 +37,8 @@ XdmcpDisposeARRAY8 (array) ARRAY8Ptr array; { - Xfree (array->data); + if (array->data != 0) + Xfree (array->data); array->length = 0; array->data = 0; } Index: xc/lib/Xdmcp/DAofA8.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/DAofA8.c,v retrieving revision 1.1.1.1 retrieving revision 1.3 diff -u -r1.1.1.1 -r1.3 --- DAofA8.c 1997/09/05 08:59:52 1.1.1.1 +++ DAofA8.c 1998/04/17 11:30:09 1.3 @@ -41,7 +41,8 @@ for (i = 0; i < (int)array->length; i++) XdmcpDisposeARRAY8 (&array->data[i]); - Xfree (array->data); + if (array->data != 0) + Xfree (array->data); array->length = 0; array->data = 0; } Index: xc/lib/Xdmcp/RA16.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/RA16.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- RA16.c 1997/09/05 08:59:53 1.1.1.1 +++ RA16.c 1998/04/17 10:09:53 1.2 @@ -55,6 +55,7 @@ if (!XdmcpReadCARD16 (buffer, &array->data[i])) { Xfree (array->data); + array->data = 0; return FALSE; } } Index: xc/lib/Xdmcp/RA32.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/RA32.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- RA32.c 1997/09/05 08:59:53 1.1.1.1 +++ RA32.c 1998/04/17 10:09:54 1.2 @@ -55,6 +55,7 @@ if (!XdmcpReadCARD32 (buffer, &array->data[i])) { Xfree (array->data); + array->data = 0; return FALSE; } } Index: xc/lib/Xdmcp/RA8.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/RA8.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- RA8.c 1997/09/05 08:59:53 1.1.1.1 +++ RA8.c 1998/04/17 10:09:55 1.2 @@ -55,6 +55,7 @@ if (!XdmcpReadCARD8 (buffer, &array->data[i])) { Xfree (array->data); + array->data = 0; return FALSE; } } Index: xc/lib/Xdmcp/RAofA8.c =================================================================== RCS file: /cvs/X11/xc/lib/Xdmcp/RAofA8.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- RAofA8.c 1997/09/05 08:59:53 1.1.1.1 +++ RAofA8.c 1998/04/17 10:09:57 1.2 @@ -55,6 +55,7 @@ if (!XdmcpReadARRAY8 (buffer, &array->data[i])) { Xfree (array->data); + array->data = 0; return FALSE; } } Matthieu
Current thread:
- New possible exploit for 2.0.33 (kfree_skb error), (continued)
- New possible exploit for 2.0.33 (kfree_skb error) Paul (Apr 15)
- Re: New possible exploit for 2.0.33 (kfree_skb error) Alan Cox (Apr 15)
- Linux 2.0.33 vulnerability: fragment patterns Alan Cox (Apr 16)
- Linux 2.0.33 vulnerability: oversized packets Michal Zalewski (Apr 17)
- Linux 2.0.34pre10: Summary of fixed vulnerabilities Alan Cox (Apr 20)
- Re: Linux 2.0.33 vulnerability: oversized packets Jon Lewis (Apr 20)
- Re: Linux 2.0.33 vulnerability: oversized packets Krzysztof G. Baranowski (Apr 21)
- code to crash cistron's radius Hamdi Tounsi (Apr 21)
- New possible exploit for 2.0.33 (kfree_skb error) Paul (Apr 15)
- nestea v2. The program that DoS's 2.0.33s The Tree of Life (Apr 18)
- xdm problems Thomas Roessler (Apr 16)
- Re: xdm problems Matthieu Herrb (Apr 20)
- SECURITY: procps 1.2.7 fixes security hole Aleph One (Apr 20)