Skip to content
  1. Jun 20, 2017
  2. Jun 19, 2017
  3. Jun 18, 2017
  4. Jun 06, 2017
  5. Jun 01, 2017
  6. Apr 16, 2017
  7. Apr 06, 2017
  8. Apr 05, 2017
  9. Apr 04, 2017
  10. Apr 03, 2017
  11. Apr 02, 2017
  12. Apr 01, 2017
  13. Mar 28, 2017
  14. Mar 23, 2017
    • Tobias Stoeckmann's avatar
      Fix double-free/OOB-write while receiving IPC data · f7a547b7
      Tobias Stoeckmann authored
      
      
      If a malicious client pretends to be the E17 window manager, it is
      possible to trigger an out of boundary heap write while receiving an
      IPC message.
      
      The length of the already received message is stored in an unsigned
      short, which overflows after receiving 64 KB of data. It's comparably
      small amount of data and therefore achievable for an attacker.
      
      When len overflows, realloc() will either be called with a small value
      and therefore chars will be appended out of bounds, or len + 1 will be
      exactly 0, in which case realloc() behaves like free(). This could be
      abused for a later double-free attack as it's even possible to overwrite
      the free information -- but this depends on the malloc implementation.
      
      Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
      f7a547b7
  15. Feb 26, 2017
  16. Feb 23, 2017
  17. Feb 16, 2017
  18. Jan 22, 2017
  19. Jan 15, 2017
  20. Jan 14, 2017
  21. Jan 12, 2017
  22. Jan 11, 2017
  23. Jan 02, 2017
  24. Dec 07, 2016
  25. Nov 01, 2016
  26. Oct 31, 2016
Loading