Skip to content
  1. Apr 01, 2017
  2. Mar 28, 2017
  3. Mar 23, 2017
    • Tobias Stoeckmann's avatar
      Fix double-free/OOB-write while receiving IPC data · f7a547b7
      Tobias Stoeckmann authored
      
      
      If a malicious client pretends to be the E17 window manager, it is
      possible to trigger an out of boundary heap write while receiving an
      IPC message.
      
      The length of the already received message is stored in an unsigned
      short, which overflows after receiving 64 KB of data. It's comparably
      small amount of data and therefore achievable for an attacker.
      
      When len overflows, realloc() will either be called with a small value
      and therefore chars will be appended out of bounds, or len + 1 will be
      exactly 0, in which case realloc() behaves like free(). This could be
      abused for a later double-free attack as it's even possible to overwrite
      the free information -- but this depends on the malloc implementation.
      
      Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
      f7a547b7
  4. Feb 26, 2017
  5. Feb 23, 2017
  6. Feb 16, 2017
  7. Jan 22, 2017
  8. Jan 15, 2017
  9. Jan 14, 2017
  10. Jan 12, 2017
  11. Jan 11, 2017
  12. Jan 02, 2017
  13. Dec 07, 2016
  14. Nov 01, 2016
  15. Oct 31, 2016
  16. Oct 30, 2016
  17. Oct 29, 2016
  18. Oct 24, 2016
  19. Oct 17, 2016
  20. Oct 15, 2016
  21. Oct 01, 2016
  22. Sep 21, 2016
  23. Sep 06, 2016
  24. Sep 01, 2016
  25. Aug 31, 2016
  26. Aug 28, 2016
Loading