X11: Handle GenericEvents longer than 32 bytes.
While X11 Events are generally fixed-length, GenericEvents extend the protocol to provide a length field, similar to Replies. As noted in the extension spec, if a GenericEvent longer than 32 bytes is sent to a client unable to process it, "future interpretation of replies and events by this client will fail." See https://www.x.org/releases/current/doc/xextproto/geproto.html This patch merely prevents that failure case. It does not attempt to meaningfully dissect the contents of such packets, which in any case will vary depending on the relevant X11 extension.
This commit is contained in:
Chloe Pelling
parent
f5dc703259
commit
a2b17d3dbe
|
|
@ -5207,7 +5207,7 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
*/
|
||||
if (x11_desegment && pinfo->can_desegment) {
|
||||
/*
|
||||
* Yes - is the X11 reply header split across
|
||||
* Yes - is the X11 Reply or GenericEvent header split across
|
||||
* segment boundaries?
|
||||
*/
|
||||
if (length_remaining < 8) {
|
||||
|
|
@ -5282,6 +5282,24 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
break;
|
||||
}
|
||||
|
||||
case GenericEvent:
|
||||
{
|
||||
/* An Event, but with a length field like a Reply. */
|
||||
|
||||
/* To avoid an "assert w/side-effect" warning,
|
||||
* use a non-volatile temp variable instead. */
|
||||
int tmp_plen;
|
||||
|
||||
/* GenericEvent's length is also in units of four. */
|
||||
tmp_plen = plen = 32 + tvb_get_guint32(tvb, offset + 4, byte_order) * 4;
|
||||
/* If tmp_plen < 32, we got an overflow;
|
||||
* the event length is too long. */
|
||||
THROW_ON(tmp_plen < 32, ReportedBoundsError);
|
||||
HANDLE_REPLY(plen, length_remaining,
|
||||
"Event", dissect_x11_event);
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
/* Event */
|
||||
plen = 32;
|
||||
|
|
|
|||
Loading…
Reference in New Issue