Subject: xsrc/25098: Xlib segfaults with IPv6
To: None <>
From: None <>
List: netbsd-bugs
Date: 04/08/2004 01:20:51
>Number:         25098
>Category:       xsrc
>Synopsis:       Xlib segfaults with IPv6
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 07 23:22:00 UTC 2004
>Originator:     Michael van Elst
>Release:        NetBSD 1.6.2
                                Michael van Elst
                                "A potential Snark may lurk in every tree."
System: NetBSD pepew 1.6.2 NetBSD 1.6.2 (PEPEW) #1: Mon Feb 23 23:34:11 MET 2004 src@pepew:/amd/fud/d/0/src/sys/arch/i386/compile/PEPEW i386
Architecture: i386
Machine: i386
All X11 programs segfault IF connecting via TCP/IP to an Xserver
and if IPv6 XDM-AUTHORIZATION-1 data exists in .Xauthority.

This is caused by a missing break statement in GetAuthorization.
As a consequence a 24 byte XDCMP buffer is filled by the AF_INET6
caluse and then falls through to the AF_UNIX clause that overflows
the buffer.

Additionally the xdmcp buffer is filled incorrectly for AF_INET6.

Please also note the 'XXX This should probably never happen'
comment in that switch clause.

See also:

Have used X11 with IPv6 before.

Build Xfree4.4 from xsrc, re-enable TCP/IP by removing the -nolisten tcp
in Xservers and start the server. Run an X program with DISPLAY set
to localhost:0.

--- xsrc/xfree/xc/lib/X11/ConnDis.c   2004/03/05 14:24:07
+++ xsrc/xfree/xc/lib/X11/ConnDis.c   2004/04/07 23:16:48
@@ -1098,14 +1098,14 @@
                /* Port number */
                for (i=2; i<4; i++)
                    xdmcp_data[j++] = ((char *)addr)[i];
-               break;
            } else {
                /* Fake data to keep the data aligned. Otherwise the 
                   the server will bail about incorrect timing data */
-               for (i = 0; i < 8; i++) {
+               for (i = 0; i < 6; i++) {
                    xdmcp_data[j++] = 0;
+            break;
 #endif /* AF_INET6 */
 #ifdef AF_UNIX