Xi: Zero target buffer in SProcXSendExtensionEvent.

Make sure that the xEvent eventT is initialized with zeros, the same way as in SProcSendEvent. Some event swapping functions do not overwrite all 32 bytes of xEvent structure, for example XSecurityAuthorizationRevoked. Two cooperating clients, one swapped and the other not, can send XSecurityAuthorizationRevoked event to each other to retrieve old stack data from X server. This can be potentialy misused to go around ASLR or stack-protector. Signed-off-by: Michal Srb <msrb@suse.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
author: Michal Srb <msrb@suse.com> 2017-05-24 15:54:39 +0300
committer: Peter Hutterer <peter.hutterer@who-t.net> 2017-06-19 11:58:44 +1000
commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced (patch)
tree: f5f0d72f7f9685230b29b7ba46e19957c93fd49b
parent: d82c3cee02a99cf7861d1effaa5c7d38683a7783 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 11d82029f..1cf118ab6 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
 {
     CARD32 *p;
     int i;
-    xEvent eventT;
+    xEvent eventT = { .u.u.type = 0 };
     xEvent *eventP;
     EventSwapPtr proc;
author	Michal Srb <msrb@suse.com>	2017-05-24 15:54:39 +0300
committer	Peter Hutterer <peter.hutterer@who-t.net>	2017-06-19 11:58:44 +1000
commit	05442de962d3dc624f79fc1a00eca3ffc5489ced (patch)
tree	f5f0d72f7f9685230b29b7ba46e19957c93fd49b
parent	d82c3cee02a99cf7861d1effaa5c7d38683a7783 (diff)