|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-unstable] ui/vnc: limit client_cut_text msg payload size
commit 2b5684137e81251c37e349525e869e6a076f9574
Author: Peter Lieven <pl@xxxxxxx>
AuthorDate: Mon Jun 30 10:07:54 2014 +0200
Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Tue Sep 8 15:07:06 2015 +0100
ui/vnc: limit client_cut_text msg payload size
currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.
This patch limits the payload size to 1MB max.
Please note that client_cut_text messages are currently
silently ignored.
Signed-off-by: Peter Lieven <pl@xxxxxxx>
Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
(cherry picked from commit f9a70e79391f6d7c2a912d785239ee8effc1922d)
Conflicts:
ui/vnc.c
Dropped { } style changes.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
vnc.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/vnc.c b/vnc.c
index 7629dfa..86c2ff4 100644
--- a/vnc.c
+++ b/vnc.c
@@ -1768,6 +1768,12 @@ static int protocol_client_msg(VncState *vs, uint8_t
*data, size_t len)
if (len == 8) {
uint32_t v;
v = read_u32(data, 4);
+ if (v > (1 << 20)) {
+ error_report("vnc: client_cut_text msg payload has %u bytes"
+ " which exceeds our limit of 1MB.", v);
+ vnc_client_error(vs);
+ break;
+ }
if (v)
return 8 + v;
}
--
generated by git-patchbot for /home/xen/git/qemu-xen-unstable.git
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |