forked from enlightenment/efl
ecore_evas extn - fix buffer n check for lock files with untrusted val
the code added by minkyoung has a definite security flaw here trusting e->response to be within a small range when all it is is an int - range is not limited other than that... so fix the code to check for range like further code below does. this commit went in 2 days ago... so not an existing bug fix.
This commit is contained in:
parent
2787f0fe5d
commit
02a7e00c01
|
@ -1021,16 +1021,20 @@ _ipc_server_data(void *data, int type EINA_UNUSED, void *event)
|
||||||
{
|
{
|
||||||
Ipc_Data_Update *ipc;
|
Ipc_Data_Update *ipc;
|
||||||
int n = e->response;
|
int n = e->response;
|
||||||
|
|
||||||
/* b->lockfd is not enough to ensure the size is same
|
/* b->lockfd is not enough to ensure the size is same
|
||||||
* between what server knows, and client knows.
|
* between what server knows, and client knows.
|
||||||
* So should check file lock also. */
|
* So should check file lock also. */
|
||||||
if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
|
if ((n >= 0) && (n < NBUF))
|
||||||
{
|
{
|
||||||
EINA_LIST_FREE(extn->file.updates, ipc)
|
if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
|
||||||
{
|
{
|
||||||
free(ipc);
|
EINA_LIST_FREE(extn->file.updates, ipc)
|
||||||
|
{
|
||||||
|
free(ipc);
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
EINA_LIST_FREE(extn->file.updates, ipc)
|
EINA_LIST_FREE(extn->file.updates, ipc)
|
||||||
|
|
Loading…
Reference in New Issue