51 lines
1.5 KiB
Diff
51 lines
1.5 KiB
Diff
|
References: bsc#944463
|
||
|
|
|
||
|
|
Subject: ui/vnc: limit client_cut_text msg payload size
|
||
|
|
From: Peter Lieven pl@kamp.de Mon Jun 30 10:07:54 2014 +0200
|
||
|
|
Date: Tue Jul 1 13:26:40 2014 +0200:
|
||
|
|
Git: f9a70e79391f6d7c2a912d785239ee8effc1922d
|
||
|
|
|
||
|
|
currently a malicious client could define a payload
|
||
|
|
size of 2^32 - 1 bytes and send up to that size of
|
||
|
|
data to the vnc server. The server would allocated
|
||
|
|
that amount of memory which could easily create an
|
||
|
|
out of memory condition.
|
||
|
|
|
||
|
|
This patch limits the payload size to 1MB max.
|
||
|
|
|
||
|
|
Please note that client_cut_text messages are currently
|
||
|
|
silently ignored.
|
||
|
|
|
||
|
|
Signed-off-by: Peter Lieven <pl@kamp.de>
|
||
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||
|
|
|
||
|
|
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
|
||
|
|
===================================================================
|
||
|
|
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
|
||
|
|
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
|
||
|
|
@@ -1779,14 +1779,21 @@ static int protocol_client_msg(VncState
|
||
|
|
pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
|
||
|
|
break;
|
||
|
|
case 6:
|
||
|
|
- if (len == 1)
|
||
|
|
+ if (len == 1) {
|
||
|
|
return 8;
|
||
|
|
-
|
||
|
|
+ }
|
||
|
|
if (len == 8) {
|
||
|
|
uint32_t v;
|
||
|
|
v = read_u32(data, 4);
|
||
|
|
- if (v)
|
||
|
|
+ if (v > (1 << 20)) {
|
||
|
|
+ VNC_DEBUG("vnc: client_cut_text msg payload has %u bytes"
|
||
|
|
+ " which exceeds our limit of 1MB.", v);
|
||
|
|
+ vnc_client_error(vs);
|
||
|
|
+ break;
|
||
|
|
+ }
|
||
|
|
+ if (v > 0) {
|
||
|
|
return 8 + v;
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
|
||
|
|
client_cut_text(vs, read_u32(data, 4), (char *)(data + 8));
|