[haiku-bugs] Re: [Haiku] #8831: input_server shouldn't use pointers as a cookie

  • From: "bonefish" <trac@xxxxxxxxxxxx>
  • Date: Sat, 04 Aug 2012 15:39:07 -0000

#8831: input_server shouldn't use pointers as a cookie
------------------------------------+----------------------------
   Reporter:  xyzzy                 |      Owner:  korli
       Type:  bug                   |     Status:  new
   Priority:  normal                |  Milestone:  R1
  Component:  Servers/input_server  |    Version:  R1/Development
 Resolution:                        |   Keywords:
 Blocked By:                        |   Blocking:
Has a Patch:  0                     |   Platform:  All
------------------------------------+----------------------------

Comment (by bonefish):

 I haven't really looked what happens with the pointer, particularly
 whether it is sent back to the input server and how it is used there. E.g.
 dangerous code in the input server would be:
 {{{
 void* cookie;
 if (message.FindPointer("cookie", &cookie) == B_OK) {
         BInputServerMethod* method = (BInputServerMethod*)cookie;
         method->DoSomething();
 }
 }}}
 This way a bug in the application hosting the replicant (i.e. the Deskbar)
 could compromise the input server. Harmless code would be:
 {{{
 void* cookie;
 if (message.FindPointer("cookie", &cookie) == B_OK) {
         foreach (BInputServerMethod* method = ...) {
                 if (cookie == method)
                         method->DoSomething();
         }
 }
 }}}
 In this case the only bad thing that could happen is that the wrong method
 is targeted due to pointer reuse. Though I guess that would be rather
 unlikely and harmless as well.

-- 
Ticket URL: <http://dev.haiku-os.org/ticket/8831#comment:4>
Haiku <http://dev.haiku-os.org>
Haiku - the operating system.

Other related posts: