netbsd-bugs: xsrc/25098: Xlib segfaults with IPv6

Subject: xsrc/25098: Xlib segfaults with IPv6
To: None <gnats-bugs@gnats.netbsd.org>
From: None <mlelstv@serpens.de>
List: netbsd-bugs
Date: 04/08/2004 01:20:51
>Number:         25098
>Category:       xsrc
>Synopsis:       Xlib segfaults with IPv6
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 07 23:22:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Michael van Elst
>Release:        NetBSD 1.6.2
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:
	
	
System: NetBSD pepew 1.6.2 NetBSD 1.6.2 (PEPEW) #1: Mon Feb 23 23:34:11 MET 2004 src@pepew:/amd/fud/d/0/src/sys/arch/i386/compile/PEPEW i386
Architecture: i386
Machine: i386
>Description:
All X11 programs segfault IF connecting via TCP/IP to an Xserver
and if IPv6 XDM-AUTHORIZATION-1 data exists in .Xauthority.

This is caused by a missing break statement in GetAuthorization.
As a consequence a 24 byte XDCMP buffer is filled by the AF_INET6
caluse and then falls through to the AF_UNIX clause that overflows
the buffer.

Additionally the xdmcp buffer is filled incorrectly for AF_INET6.

Please also note the 'XXX This should probably never happen'
comment in that switch clause.

See also:
http://cvsweb.xfree86.org/cvsweb/xc/lib/X11/ConnDis.c.diff?r1=3.27&r2=3.28

>How-To-Repeat:
Have used X11 with IPv6 before.

Build Xfree4.4 from xsrc, re-enable TCP/IP by removing the -nolisten tcp
in Xservers and start the server. Run an X program with DISPLAY set
to localhost:0.

>Fix:
--- xsrc/xfree/xc/lib/X11/ConnDis.c   2004/03/05 14:24:07     1.1.1.5
+++ xsrc/xfree/xc/lib/X11/ConnDis.c   2004/04/07 23:16:48
@@ -1098,14 +1098,14 @@
                /* Port number */
                for (i=2; i<4; i++)
                    xdmcp_data[j++] = ((char *)addr)[i];
-               break;
            } else {
                /* Fake data to keep the data aligned. Otherwise the 
                   the server will bail about incorrect timing data */
-               for (i = 0; i < 8; i++) {
+               for (i = 0; i < 6; i++) {
                    xdmcp_data[j++] = 0;
                }
            }
+            break;
        }
 #endif /* AF_INET6 */
 #ifdef AF_UNIX

>Release-Note:
>Audit-Trail:
>Unformatted: