ui/vnc: limit client_cut_text msg payload size

currently a malicious client could define a payload size of 2^32 - 1 bytes and send up to that size of data to the vnc server. The server would allocated that amount of memory which could easily create an out of memory condition. This patch limits the payload size to 1MB max. Please note that client_cut_text messages are currently silently ignored. Signed-off-by: N Peter Lieven <pl@kamp.de> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

ui/vnc: limit client_cut_text msg payload size
currently a malicious client could define a payload size of 2^32 - 1 bytes and send up to that size of data to the vnc server. The server would allocated that amount of memory which could easily create an out of memory condition. This patch limits the payload size to 1MB max. Please note that client_cut_text messages are currently silently ignored. Signed-off-by: N Peter Lieven <pl@kamp.de> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
f9a70e79 · Peter Lieven · Gerd Hoffmann · b3959efd · f9a70e79
隐藏空白更改
内联并排

Showing with 10 addition and 3 deletion

ui/vnc.c ui/vnc.c +10 -3

未找到文件。
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2165,13 +2165,20 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
        pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
        break;
    case VNC_MSG_CLIENT_CUT_TEXT:
-        if (len == 1)
+        if (len == 1) {
            return 8;
-
+        }
        if (len == 8) {
            uint32_t dlen = read_u32(data, 4);
-            if (dlen > 0)
+            if (dlen > (1 << 20)) {
+                error_report("vnc: client_cut_text msg payload has %u bytes"
+                             " which exceeds our limit of 1MB.", dlen);
+                vnc_client_error(vs);
+                break;
+            }
+            if (dlen > 0) {
                return 8 + dlen;
+            }
        }

        client_cut_text(vs, read_u32(data, 4), data + 8);