summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarsten Haitzler (Rasterman) <raster@rasterman.com>2017-03-23 16:27:19 +0900
committerCarsten Haitzler (Rasterman) <raster@rasterman.com>2017-03-23 16:27:19 +0900
commit02a7e00c01ea727eaae6066b2cf1b075be7c3287 (patch)
tree55153a7b7c70407fbce0e3d237f4ccf938e30188
parent2787f0fe5dfe1e880a07bf957aa2a111866f25dc (diff)
ecore_evas extn - fix buffer n check for lock files with untrusted val
the code added by minkyoung has a definite security flaw here trusting e->response to be within a small range when all it is is an int - range is not limited other than that... so fix the code to check for range like further code below does. this commit went in 2 days ago... so not an existing bug fix.
-rw-r--r--src/modules/ecore_evas/engines/extn/ecore_evas_extn.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c b/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c
index af5f3de88d..16335da1d2 100644
--- a/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c
+++ b/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c
@@ -1021,16 +1021,20 @@ _ipc_server_data(void *data, int type EINA_UNUSED, void *event)
1021 { 1021 {
1022 Ipc_Data_Update *ipc; 1022 Ipc_Data_Update *ipc;
1023 int n = e->response; 1023 int n = e->response;
1024
1024 /* b->lockfd is not enough to ensure the size is same 1025 /* b->lockfd is not enough to ensure the size is same
1025 * between what server knows, and client knows. 1026 * between what server knows, and client knows.
1026 * So should check file lock also. */ 1027 * So should check file lock also. */
1027 if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf))) 1028 if ((n >= 0) && (n < NBUF))
1028 { 1029 {
1029 EINA_LIST_FREE(extn->file.updates, ipc) 1030 if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
1030 { 1031 {
1031 free(ipc); 1032 EINA_LIST_FREE(extn->file.updates, ipc)
1033 {
1034 free(ipc);
1035 }
1036 break;
1032 } 1037 }
1033 break;
1034 } 1038 }
1035 1039
1036 EINA_LIST_FREE(extn->file.updates, ipc) 1040 EINA_LIST_FREE(extn->file.updates, ipc)