From fe08a081d8eb797446fc622cdaadf9d9985e7487 Mon Sep 17 00:00:00 2001
From: matthieu <matthieu@openbsd.org>
Date: Sat, 14 Oct 2017 09:17:40 +0000
Subject: [PATCH] MFC: os: Make sure big requests have sufficient length.

A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF.  Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
---
 xserver/os/io.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/xserver/os/io.c b/xserver/os/io.c
index 96a243d8c..bc26da7e5 100644
--- a/xserver/os/io.c
+++ b/xserver/os/io.c
@@ -480,6 +480,11 @@ ReadRequestFromClient(ClientPtr client)
         if (++timesThisConnection >= MAX_TIMES_PER)
             YieldControl();
     if (move_header) {
+        if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+            YieldControlDeath();
+            return -1;
+        }
+
         request = (xReq *) oci->bufptr;
         oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
         *(xReq *) oci->bufptr = *request;