Skip to content
Snippets Groups Projects
  1. Sep 01, 2017
  2. Aug 24, 2017
  3. Aug 23, 2017
  4. Aug 22, 2017
  5. Aug 21, 2017
  6. Aug 19, 2017
  7. Aug 12, 2017
  8. Aug 10, 2017
  9. Aug 05, 2017
  10. Jul 25, 2017
  11. Jun 21, 2017
  12. Jun 20, 2017
  13. Jun 19, 2017
  14. Jun 18, 2017
  15. Jun 06, 2017
  16. Jun 01, 2017
  17. Apr 16, 2017
  18. Apr 06, 2017
  19. Apr 05, 2017
  20. Apr 04, 2017
  21. Apr 03, 2017
  22. Apr 02, 2017
  23. Apr 01, 2017
  24. Mar 28, 2017
  25. Mar 23, 2017
    • Tobias Stoeckmann's avatar
      Fix double-free/OOB-write while receiving IPC data · f7a547b7
      Tobias Stoeckmann authored
      
      If a malicious client pretends to be the E17 window manager, it is
      possible to trigger an out of boundary heap write while receiving an
      IPC message.
      
      The length of the already received message is stored in an unsigned
      short, which overflows after receiving 64 KB of data. It's comparably
      small amount of data and therefore achievable for an attacker.
      
      When len overflows, realloc() will either be called with a small value
      and therefore chars will be appended out of bounds, or len + 1 will be
      exactly 0, in which case realloc() behaves like free(). This could be
      abused for a later double-free attack as it's even possible to overwrite
      the free information -- but this depends on the malloc implementation.
      
      Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
      f7a547b7
Loading