|
 |
dde763 |
From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001
|
|
|
dde763 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
dde763 |
Date: Thu, 10 Jan 2019 12:11:04 +0100
|
|
|
dde763 |
Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in
|
|
|
dde763 |
rfbserver.c:rfbProcessFileTransferReadBuffer())
|
|
|
dde763 |
MIME-Version: 1.0
|
|
|
dde763 |
Content-Type: text/plain; charset=UTF-8
|
|
|
dde763 |
Content-Transfer-Encoding: 8bit
|
|
|
dde763 |
|
|
|
dde763 |
This patch contains the following three upstream patches squashed
|
|
|
dde763 |
together and ported to 0.9.11 version:
|
|
|
dde763 |
|
|
|
dde763 |
commit 502821828ed00b4a2c4bef90683d0fd88ce495de
|
|
|
dde763 |
Author: Christian Beier <dontmind@freeshell.org>
|
|
|
dde763 |
Date: Sun Oct 21 20:21:30 2018 +0200
|
|
|
dde763 |
|
|
|
dde763 |
LibVNCServer: fix heap out-of-bound write access
|
|
|
dde763 |
|
|
|
dde763 |
Closes #243
|
|
|
dde763 |
|
|
|
dde763 |
commit 15bb719c03cc70f14c36a843dcb16ed69b405707
|
|
|
dde763 |
Author: Christian Beier <dontmind@freeshell.org>
|
|
|
dde763 |
Date: Sun Jan 6 15:13:56 2019 +0100
|
|
|
dde763 |
|
|
|
dde763 |
Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
|
|
|
dde763 |
|
|
|
dde763 |
re #273
|
|
|
dde763 |
|
|
|
dde763 |
commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec
|
|
|
dde763 |
Author: Petr Písař <ppisar@redhat.com>
|
|
|
dde763 |
Date: Mon Jan 7 10:40:01 2019 +0100
|
|
|
dde763 |
|
|
|
dde763 |
Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
|
|
|
dde763 |
|
|
|
dde763 |
This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
|
|
|
dde763 |
out-of-bound write access in rfbProcessFileTransferReadBuffer() when
|
|
|
dde763 |
reading a transfered file content in a server. The former fix did not
|
|
|
dde763 |
work on platforms with a 32-bit int type (expected by rfbReadExact()).
|
|
|
dde763 |
|
|
|
dde763 |
CVE-2018-15127
|
|
|
dde763 |
<https://github.com/LibVNC/libvncserver/issues/243>
|
|
|
dde763 |
<https://github.com/LibVNC/libvncserver/issues/273>
|
|
|
dde763 |
|
|
|
dde763 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
dde763 |
---
|
|
|
dde763 |
libvncserver/rfbserver.c | 17 +++++++++++++++--
|
|
|
dde763 |
1 file changed, 15 insertions(+), 2 deletions(-)
|
|
|
dde763 |
|
|
|
dde763 |
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
|
|
dde763 |
index b50a7f4..1b4dd97 100644
|
|
|
dde763 |
--- a/libvncserver/rfbserver.c
|
|
|
dde763 |
+++ b/libvncserver/rfbserver.c
|
|
|
dde763 |
@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
|
|
|
dde763 |
int n=0;
|
|
|
dde763 |
|
|
|
dde763 |
FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
|
|
|
dde763 |
+
|
|
|
dde763 |
/*
|
|
|
dde763 |
- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
|
|
|
dde763 |
+ We later alloc length+1, which might wrap around on 32-bit systems if length equals
|
|
|
dde763 |
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
|
|
|
dde763 |
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
|
|
|
dde763 |
+ without problems as length is a uint32_t.
|
|
|
dde763 |
+ We also later pass length to rfbReadExact() that expects a signed int type and
|
|
|
dde763 |
+ that might wrap on platforms with a 32-bit int type if length is bigger
|
|
|
dde763 |
+ than 0X7FFFFFFF.
|
|
|
dde763 |
*/
|
|
|
dde763 |
+ if(length == SIZE_MAX || length > INT_MAX) {
|
|
|
dde763 |
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
|
|
|
dde763 |
+ rfbCloseClient(cl);
|
|
|
dde763 |
+ return NULL;
|
|
|
dde763 |
+ }
|
|
|
dde763 |
+
|
|
|
dde763 |
if (length>0) {
|
|
|
dde763 |
- buffer=malloc(length+1);
|
|
|
dde763 |
+ buffer=malloc((size_t)length+1);
|
|
|
dde763 |
if (buffer!=NULL) {
|
|
|
dde763 |
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
|
|
|
dde763 |
if (n != 0)
|
|
|
dde763 |
--
|
|
|
dde763 |
2.17.2
|
|
|
dde763 |
|