diff options
| author | Brian Cameron <brian.cameron@sun.com> | 2007-07-30 19:37:22 +0000 |
|---|---|---|
| committer | Brian Cameron <bcameron@src.gnome.org> | 2007-07-30 19:37:22 +0000 |
| commit | ede0aee30bfcfec7aece247b44d0e98c2829eb4a (patch) | |
| tree | 4384965e59ee2c260f39282469f750a97bc2ade0 /daemon | |
| parent | c5a1beb722b493253473c82b93e5c9d87cacb848 (diff) | |
| download | gdm-ede0aee30bfcfec7aece247b44d0e98c2829eb4a.tar.gz | |
This fixes CVE-2007-3381 - a denial of service attack where the user can
2007-07-30 Brian Cameron <brian.cameron@sun.com>
This fixes CVE-2007-3381 - a denial of service attack where
the user can crash the GDM daemon with a carefully crafted GDM
sockets command and cause GDM to stop managing future displays.
* daemon/gdm.c, daemon/gdmconfig.c, gui/gdmconfig.c,
gui/gdmflexiserver.c, gui/gdmconfig.c: Fix g_strsplit calls
so that NULL return codes are better handled.
svn path=/branches/gnome-2-16/; revision=5100
Diffstat (limited to 'daemon')
| -rw-r--r-- | daemon/gdm.c | 22 | ||||
| -rw-r--r-- | daemon/gdmconfig.c | 13 |
2 files changed, 22 insertions, 13 deletions
diff --git a/daemon/gdm.c b/daemon/gdm.c index de95cc94..6e08e9d4 100644 --- a/daemon/gdm.c +++ b/daemon/gdm.c @@ -3087,9 +3087,13 @@ gdm_handle_user_message (GdmConnection *conn, const gchar *msg, gpointer data) } else if (strncmp (msg, GDM_SUP_GET_SERVER_DETAILS " ", strlen (GDM_SUP_GET_SERVER_DETAILS " ")) == 0) { - const gchar *server = &msg[strlen (GDM_SUP_GET_SERVER_DETAILS " ")]; - gchar **splitstr = g_strsplit (server, " ", 2); - GdmXserver *svr = gdm_find_xserver ((gchar *)splitstr[0]); + const gchar *server = &msg[strlen (GDM_SUP_GET_SERVER_DETAILS " ")]; + gchar **splitstr = g_strsplit (server, " ", 2); + GdmXserver *svr = NULL; + + if (splitstr != NULL && splitstr[0] != NULL) { + svr = gdm_find_xserver ((gchar *)splitstr[0]); + } if (svr != NULL) { if (g_strcasecmp (splitstr[1], "ID") == 0) @@ -3126,12 +3130,11 @@ gdm_handle_user_message (GdmConnection *conn, const gchar *msg, gpointer data) gdm_connection_printf (conn, "OK false\n"); else gdm_connection_printf (conn, "ERROR 2 Key not valid\n"); - - g_strfreev (splitstr); } else { gdm_connection_printf (conn, "ERROR 1 Server not found\n"); } + g_strfreev (splitstr); } else if (strcmp (msg, GDM_SUP_GREETERPIDS) == 0) { GString *msg; GSList *li; @@ -3161,10 +3164,15 @@ gdm_handle_user_message (GdmConnection *conn, const gchar *msg, gpointer data) } else if (strncmp (msg, GDM_SUP_GET_CONFIG " ", strlen (GDM_SUP_GET_CONFIG " ")) == 0) { const gchar *parms = &msg[strlen (GDM_SUP_GET_CONFIG " ")]; - gchar **splitstr = g_strsplit (parms, " ", 2); - gchar *retval = NULL; + gchar **splitstr = g_strsplit (parms, " ", 2); + gchar *retval = NULL; static gboolean done_prefetch = FALSE; + if (splitstr == NULL || splitstr[0] == NULL) { + gdm_connection_printf (conn, "ERROR 50 Unsupported key <null>\n"); + return; + } + /* * It is not meaningful to manage this in a per-display * fashion since the prefetch program is only run once the diff --git a/daemon/gdmconfig.c b/daemon/gdmconfig.c index df210246..1ff4024a 100644 --- a/daemon/gdmconfig.c +++ b/daemon/gdmconfig.c @@ -816,9 +816,10 @@ gdm_config_key_to_string_per_display (const gchar *display, gchar *key, gchar ** file = gdm_get_per_display_custom_config_file (display); - if (strcmp (ve_sure_string (splitstr[0]), "greeter") == 0 || - strcmp (ve_sure_string (splitstr[0]), "gui") == 0 || - is_key (key, GDM_KEY_PAM_STACK)) { + if (splitstr != NULL && + (strcmp (ve_sure_string (splitstr[0]), "greeter") == 0 || + strcmp (ve_sure_string (splitstr[0]), "gui") == 0 || + is_key (key, GDM_KEY_PAM_STACK))) { gdm_config_key_to_string (file, key, retval); } @@ -844,7 +845,7 @@ gdm_config_key_to_string (gchar *file, gchar *key, gchar **retval) *retval = NULL; /* Should not fail, all keys should have a category. */ - if (splitstr[0] == NULL) + if (splitstr == NULL || splitstr[0] == NULL) return; /* If file doesn't exist, then just return */ @@ -1705,7 +1706,7 @@ gdm_update_config (gchar* key) if (custom_cfg != NULL) { gchar **splitstr = g_strsplit (key, "/", 2); - if (splitstr[0] != NULL) { + if (splitstr != NULL && splitstr[0] != NULL) { GList *list = ve_config_get_keys (custom_cfg, splitstr[0]); while (list != NULL) { @@ -1893,7 +1894,7 @@ gdm_load_config_option (gpointer key_in, gpointer value_in, gpointer data) /* First check the custom file */ if (cfgfiles->custom_cfg != NULL) { gchar **splitstr = g_strsplit (key_in, "/", 2); - if (splitstr[0] != NULL) { + if (splitstr != NULL && splitstr[0] != NULL) { GList *list = ve_config_get_keys (cfgfiles->custom_cfg, splitstr[0]); while (list != NULL) { |