Fix use after free on subsequent calls

The function IceAuthFileName is vulnerable to a use after free. The flaw can be triggered by calling the function three times: - First call succeeds and stores the path in buf, a dynamically allocated buffer with size bsize. - Second call fails due to out of memory. It frees buf, but keeps the old size in bsize. - Third call only checks if bsize is large enough. Then it uses buf without allocating it again -- the use after free happens. In order to exploit this, an attacker must change environment variables between each call, namely ICEAUTHORITY or HOME. It also takes subsequent calls. Due to these limitations, I don't consider this to be of high priority. Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2016-11-22 20:13:29 +0100
committer: Matthieu Herrb <matthieu@herrb.eu> 2016-12-09 21:38:29 +0100
commit: ac4bb20e74e064b219de70e9b54516a921fdb7c3 (patch)
tree: ebf804665031992df7a922a6306302a27b2577db /src
parent: b1720edc9b9f3e7a05caa3fcd81761e5818ea255 (diff)
download: xorg-lib-libICE-ac4bb20e74e064b219de70e9b54516a921fdb7c3.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/authutil.c b/src/authutil.c
index 04c0791..ca0504a 100644
--- a/src/authutil.c
+++ b/src/authutil.c
@@ -114,8 +114,10 @@ IceAuthFileName (void)
 	if (buf)
 	    free (buf);
 	buf = malloc (size);
-	if (!buf)
+	if (!buf) {
+	    bsize = 0;
 	    return (NULL);
+	}
 	bsize = size;
     }
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2016-11-22 20:13:29 +0100
committer	Matthieu Herrb <matthieu@herrb.eu>	2016-12-09 21:38:29 +0100
commit	ac4bb20e74e064b219de70e9b54516a921fdb7c3 (patch)
tree	ebf804665031992df7a922a6306302a27b2577db /src
parent	b1720edc9b9f3e7a05caa3fcd81761e5818ea255 (diff)
download	xorg-lib-libICE-ac4bb20e74e064b219de70e9b54516a921fdb7c3.tar.gz