rpms / libvncserver

Clone
Source Code
GIT

Blame SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c8s
  2.   SOURCES
  3.   libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
Blob History Raw
9b8edd 
From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
9b8edd 
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
9b8edd 
Date: Tue, 6 Mar 2018 11:58:02 +0100
9b8edd 
Subject: [PATCH] Limit client cut text length to 1 MB
9b8edd 
MIME-Version: 1.0
9b8edd 
Content-Type: text/plain; charset=UTF-8
9b8edd 
Content-Transfer-Encoding: 8bit
9b8edd
9b8edd 
This patch constrains client text length to 1 MB. Otherwise a client
9b8edd 
could make server allocate 2 GB of memory and that seems to be to much
9b8edd 
to classify it as denial of service.
9b8edd
9b8edd 
I keep the previous checks for maximal type values intentionally as
9b8edd 
a course of defensive coding. (You cannot never know how small the
9b8edd 
types are. And as a warning for people patching out this change not to
9b8edd 
introduce CVE-2018-7225 again.)
9b8edd
9b8edd 
Signed-off-by: Petr Písař <ppisar@redhat.com>
9b8edd 
---
9b8edd 
 libvncserver/rfbserver.c | 4 +++-
9b8edd 
 1 file changed, 3 insertions(+), 1 deletion(-)
9b8edd
9b8edd 
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
9b8edd 
index a9561fc..0027343 100644
9b8edd 
--- a/libvncserver/rfbserver.c
9b8edd 
+++ b/libvncserver/rfbserver.c
9b8edd 
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
9b8edd 
 	 * argument. Here we check that the value fits into all of them to
9b8edd 
 	 * prevent from misinterpretation and thus from accessing uninitialized
9b8edd 
 	 * memory. CVE-2018-7225 */
9b8edd 
-	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
9b8edd 
+	/* But first to prevent from a denial-of-service by allocating to much
9b8edd 
+	 * memory in the server, we impose a limit of 1 MB. */
9b8edd 
+	if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
9b8edd 
 	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
9b8edd 
 		    msg.cct.length);
9b8edd 
 	    rfbCloseClient(cl);
9b8edd 
--
9b8edd 
2.13.6
9b8edd

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation