20675 – X -query crashes on a machine with 256+ nonlocal IP addresses

Bug 20675 - X -query crashes on a machine with 256+ nonlocal IP addresses

Summary: X -query crashes on a machine with 256+ nonlocal IP addresses

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Server/General (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	low minor
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-03-15 13:05 UTC by Pavel Kankovsky
Modified:	2009-04-14 07:57 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Pavel Kankovsky 2009-03-15 13:05:05 UTC

When you start X -query IP (without -from) on a machine with at least 256 nonlocal IP addresses an arithmetic overflow followed by an out-of-bounds write occurs during the 256th invocation of XdmcpRegisterConnection() (xserver/tree/os/xdmcp.c) when it tries to add more data to ConnectionAddresses:

1. the reallocation extends the array to 256 entries but the new value of ConnectionAddresses.length will be zero because its type is CARD8:
    if (!XdmcpReallocARRAYofARRAY8 (&ConnectionAddresses,
				    ConnectionAddresses.length +  1))

2. the assignment of new data writes to "index -1" and corrupts the heap, making the process ready to go down in flames:
    ConnectionAddresses.data[ConnectionAddresses.length-1].data = newAddress;
    ConnectionAddresses.data[ConnectionAddresses.length-1].length = addrlen;

Comment 1 Adam Jackson 2009-04-14 07:57:55 UTC

Fixed (in the sense of not crashing) in master, thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.