|
|
1ae438b |
From f9a70e79391f6d7c2a912d785239ee8effc1922d Mon Sep 17 00:00:00 2001
|
|
|
1ae438b |
From: Peter Lieven <pl@kamp.de>
|
|
|
1ae438b |
Date: Mon, 30 Jun 2014 10:07:54 +0200
|
|
|
1ae438b |
Subject: [PATCH] ui/vnc: limit client_cut_text msg payload size
|
|
|
1ae438b |
|
|
|
1ae438b |
currently a malicious client could define a payload
|
|
|
1ae438b |
size of 2^32 - 1 bytes and send up to that size of
|
|
|
1ae438b |
data to the vnc server. The server would allocated
|
|
|
1ae438b |
that amount of memory which could easily create an
|
|
|
1ae438b |
out of memory condition.
|
|
|
1ae438b |
|
|
|
1ae438b |
This patch limits the payload size to 1MB max.
|
|
|
1ae438b |
|
|
|
1ae438b |
Please note that client_cut_text messages are currently
|
|
|
1ae438b |
silently ignored.
|
|
|
1ae438b |
|
|
|
1ae438b |
Signed-off-by: Peter Lieven <pl@kamp.de>
|
|
|
1ae438b |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
1ae438b |
---
|
|
|
1ae438b |
ui/vnc.c | 13 ++++++++++---
|
|
|
1ae438b |
1 files changed, 10 insertions(+), 3 deletions(-)
|
|
|
1ae438b |
|
|
|
1ae438b |
diff --git a/tools/qemu-xen/ui/vnc.c b/tools/qemu-xen/ui/vnc.c
|
|
|
1ae438b |
index 14a86c3..19ce988 100644
|
|
|
1ae438b |
--- a/tools/qemu-xen/ui/vnc.c
|
|
|
1ae438b |
+++ b/tools/qemu-xen/ui/vnc.c
|
|
|
1ae438b |
@@ -2165,13 +2165,20 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
|
|
|
1ae438b |
pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
|
|
|
1ae438b |
break;
|
|
|
1ae438b |
case VNC_MSG_CLIENT_CUT_TEXT:
|
|
|
1ae438b |
- if (len == 1)
|
|
|
1ae438b |
+ if (len == 1) {
|
|
|
1ae438b |
return 8;
|
|
|
1ae438b |
-
|
|
|
1ae438b |
+ }
|
|
|
1ae438b |
if (len == 8) {
|
|
|
1ae438b |
uint32_t dlen = read_u32(data, 4);
|
|
|
1ae438b |
- if (dlen > 0)
|
|
|
1ae438b |
+ if (dlen > (1 << 20)) {
|
|
|
1ae438b |
+ error_report("vnc: client_cut_text msg payload has %u bytes"
|
|
|
1ae438b |
+ " which exceeds our limit of 1MB.", dlen);
|
|
|
1ae438b |
+ vnc_client_error(vs);
|
|
|
1ae438b |
+ break;
|
|
|
1ae438b |
+ }
|
|
|
1ae438b |
+ if (dlen > 0) {
|
|
|
1ae438b |
return 8 + dlen;
|
|
|
1ae438b |
+ }
|
|
|
1ae438b |
}
|
|
|
1ae438b |
|
|
|
1ae438b |
client_cut_text(vs, read_u32(data, 4), data + 8);
|
|
|
1ae438b |
--
|
|
|
1ae438b |
1.7.0.4
|
|
|
1ae438b |
|