rpms / libvncserver

Clone
Source Code
GIT

Blame SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c8
  2.   SOURCES
  3.   libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
Blob History Raw
dde763 
From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
dde763 
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
dde763 
Date: Tue, 6 Mar 2018 11:58:02 +0100
dde763 
Subject: [PATCH] Limit client cut text length to 1 MB
dde763 
MIME-Version: 1.0
dde763 
Content-Type: text/plain; charset=UTF-8
dde763 
Content-Transfer-Encoding: 8bit
dde763
dde763 
This patch constrains client text length to 1 MB. Otherwise a client
dde763 
could make server allocate 2 GB of memory and that seems to be to much
dde763 
to classify it as denial of service.
dde763
dde763 
I keep the previous checks for maximal type values intentionally as
dde763 
a course of defensive coding. (You cannot never know how small the
dde763 
types are. And as a warning for people patching out this change not to
dde763 
introduce CVE-2018-7225 again.)
dde763
dde763 
Signed-off-by: Petr Písař <ppisar@redhat.com>
dde763 
---
dde763 
 libvncserver/rfbserver.c | 4 +++-
dde763 
 1 file changed, 3 insertions(+), 1 deletion(-)
dde763
dde763 
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
dde763 
index a9561fc..0027343 100644
dde763 
--- a/libvncserver/rfbserver.c
dde763 
+++ b/libvncserver/rfbserver.c
dde763 
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
dde763 
 	 * argument. Here we check that the value fits into all of them to
dde763 
 	 * prevent from misinterpretation and thus from accessing uninitialized
dde763 
 	 * memory. CVE-2018-7225 */
dde763 
-	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
dde763 
+	/* But first to prevent from a denial-of-service by allocating to much
dde763 
+	 * memory in the server, we impose a limit of 1 MB. */
dde763 
+	if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
dde763 
 	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
dde763 
 		    msg.cct.length);
dde763 
 	    rfbCloseClient(cl);
dde763 
--
dde763 
2.13.6
dde763

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation