From f51fea01a385a92b3feea6791f804ba4355d2b1b Mon Sep 17 00:00:00 2001
From: matthieu <matthieu@openbsd.org>
Date: Sat, 14 Oct 2017 09:35:14 +0000
Subject: [PATCH] MFC: Unvalidated extra length in ProcEstablishConnection
 (CVE-2017-12176)

---
 xserver/dix/dispatch.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/xserver/dix/dispatch.c b/xserver/dix/dispatch.c
index 2c201245a..0d6bd914e 100644
--- a/xserver/dix/dispatch.c
+++ b/xserver/dix/dispatch.c
@@ -3654,7 +3654,12 @@ ProcEstablishConnection(ClientPtr client)
     prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
     auth_proto = (char *) prefix + sz_xConnClientPrefix;
     auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
-    if ((prefix->majorVersion != X_PROTOCOL) ||
+
+    if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+	pad_to_int32(prefix->nbytesAuthProto) +
+	pad_to_int32(prefix->nbytesAuthString))
+        reason = "Bad length";
+    else if ((prefix->majorVersion != X_PROTOCOL) ||
         (prefix->minorVersion != X_PROTOCOL_REVISION))
         reason = "Protocol version mismatch";
     else