Re: xdm problems

From: Hank Leininger (hlein@PROGRESSIVE-COMP.COM)
Date: Sun Apr 19 1998 - 12:44:05 PDT

Next message: Chris Evans: "Nasty security hole in "lprm""

Previous message: DilDog: "Update on Windows Buffer Overflow"
Maybe in reply to: Thomas Roessler: "xdm problems"
Next in thread: Matthieu Herrb: "Re: xdm problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 17 Apr 1998, Thomas Roessler wrote:

> [root@sobolev /root]# /usr/X11R6/bin/xdm -nodaemon &
> [1] 8668
[snip]
> [root@sobolev /root]# echo bla | socket localhost 2639
> [1]+  Segmentation fault      /usr/X11R6/bin/xdm -nodaemon


Below is a patch that seems to have fixed this, at least for me.

A(nother| better) patch might be to disable the listening TCP socket
entirely if your Xaccess configuration makes it unneccessary.

[ Disclaimer: It is quick, it is dirty, and I am the world's worst C
coder.   I no longer work in a heavily xdm-using environment, but after
quick tests I don't *seem* to have broken anything. ]

The problematic code in XFree86 looks to be directly from X11R6.3, which
means it may have the same problem at least on some platforms.

Cc'ed to the XFree86 folks && the OpenGroup.


Hank Leininger
<hlein@progressive-comp.com>

---------

vogon:/usr/local/src/XFree-3.3.2/xc/programs/xdm(97)$ diff -u choose.c.orig choose.c
--- choose.c.orig       Sat Jan 18 02:02:19 1997
+++ choose.c    Fri Apr 17 11:35:41 1998
@@ -551,15 +551,22 @@
        clientAddress.length = 0;
        choice.data = 0;
        choice.length = 0;
-       if (XdmcpReadARRAY8 (&buffer, &clientAddress) &&
-           XdmcpReadCARD16 (&buffer, &connectionType) &&
-           XdmcpReadARRAY8 (&buffer, &choice))
-       {
-           Debug ("Read from chooser succesfully\n");
-           RegisterIndirectChoice (&clientAddress, connectionType, &choice);
+       if (XdmcpReadARRAY8 (&buffer, &clientAddress)) {
+           if (XdmcpReadCARD16 (&buffer, &connectionType)) {
+               if (XdmcpReadARRAY8 (&buffer, &choice)) {
+                   Debug ("Read from chooser succesfully\n");
+                   RegisterIndirectChoice (&clientAddress, connectionType, &choice);
+                   XdmcpDisposeARRAY8 (&choice);
+               } else {
+                   LogError ("Invalid choice response length %d\n", len);
+               }
+           } else {
+               LogError ("Invalid choice response length %d\n", len);
+           }
+           XdmcpDisposeARRAY8 (&clientAddress);
+       } else {
+           LogError ("Invalid choice response length %d\n", len);
        }
-       XdmcpDisposeARRAY8 (&clientAddress);
-       XdmcpDisposeARRAY8 (&choice);
     }
     else
     {

Next message: Chris Evans: "Nasty security hole in "lprm""
Previous message: DilDog: "Update on Windows Buffer Overflow"
Maybe in reply to: Thomas Roessler: "xdm problems"
Next in thread: Matthieu Herrb: "Re: xdm problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:37 PDT