From patchwork Tue Jul 1 11:34:00 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 366081 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 1010E14008B for ; Tue, 1 Jul 2014 21:36:40 +1000 (EST) Received: from localhost ([::1]:46344 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1wMY-00029p-9K for incoming@patchwork.ozlabs.org; Tue, 01 Jul 2014 07:36:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33177) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1wKO-0007RK-Ml for qemu-devel@nongnu.org; Tue, 01 Jul 2014 07:34:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X1wKJ-00052S-QK for qemu-devel@nongnu.org; Tue, 01 Jul 2014 07:34:24 -0400 Received: from mx1.redhat.com ([209.132.183.28]:65271) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1wKJ-00052G-Hk for qemu-devel@nongnu.org; Tue, 01 Jul 2014 07:34:19 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s61BY9Kj028829 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 1 Jul 2014 07:34:09 -0400 Received: from nilsson.home.kraxel.org (ovpn-116-25.ams2.redhat.com [10.36.116.25]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s61BY7EH026422; Tue, 1 Jul 2014 07:34:08 -0400 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id B0F7A8065B; Tue, 1 Jul 2014 13:34:06 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 1 Jul 2014 13:34:00 +0200 Message-Id: <1404214441-5106-2-git-send-email-kraxel@redhat.com> In-Reply-To: <1404214441-5106-1-git-send-email-kraxel@redhat.com> References: <1404214441-5106-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Peter Lieven , Gerd Hoffmann , Anthony Liguori Subject: [Qemu-devel] [PULL 1/2] ui/vnc: limit client_cut_text msg payload size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Peter Lieven currently a malicious client could define a payload size of 2^32 - 1 bytes and send up to that size of data to the vnc server. The server would allocated that amount of memory which could easily create an out of memory condition. This patch limits the payload size to 1MB max. Please note that client_cut_text messages are currently silently ignored. Signed-off-by: Peter Lieven Signed-off-by: Gerd Hoffmann --- ui/vnc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ui/vnc.c b/ui/vnc.c index 14a86c3..19ce988 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2165,13 +2165,20 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4)); break; case VNC_MSG_CLIENT_CUT_TEXT: - if (len == 1) + if (len == 1) { return 8; - + } if (len == 8) { uint32_t dlen = read_u32(data, 4); - if (dlen > 0) + if (dlen > (1 << 20)) { + error_report("vnc: client_cut_text msg payload has %u bytes" + " which exceeds our limit of 1MB.", dlen); + vnc_client_error(vs); + break; + } + if (dlen > 0) { return 8 + dlen; + } } client_cut_text(vs, read_u32(data, 4), data + 8);