rpms / libvncserver

Clone
Source Code
GIT

Blame SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   07ca881ce05ff22fec1b3d0a20679c6978e43753
  2.   SOURCES
  3.   libvncserver-0.9.11-Validate-client-cut-text-length.patch
Blob History Raw
dde763 
From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001
dde763 
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
dde763 
Date: Mon, 26 Feb 2018 13:48:00 +0100
dde763 
Subject: [PATCH] Validate client cut text length
dde763 
MIME-Version: 1.0
dde763 
Content-Type: text/plain; charset=UTF-8
dde763 
Content-Transfer-Encoding: 8bit
dde763
dde763 
Client-provided unsigned 32-bit cut text length is passed to various
dde763 
functions that expects argument of a different type.
dde763
dde763 
E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the
dde763 
RFB server leads to 4294967295 msg.cct.length value that in turn is
dde763 
interpreted as -1 by rfbReadExact() and thus uninitialized str buffer
dde763 
with potentially sensitive data is passed to subsequent functions.
dde763
dde763 
This patch fixes it by checking for a maximal value that still can be
dde763 
processed correctly. It also corrects accepting length value of zero
dde763 
(malloc(0) is interpreted on differnet systems differently).
dde763
dde763 
Whether a client can make the server allocate up to 2 GB and cause
dde763 
a denial of service on memory-tight systems is kept without answer.
dde763 
A possible solution would be adding an arbitrary memory limit that is
dde763 
deemed safe.
dde763
dde763 
CVE-2018-7225
dde763 
<https://github.com/LibVNC/libvncserver/issues/218>
dde763
dde763 
Signed-off-by: Petr Písař <ppisar@redhat.com>
dde763 
---
dde763 
 libvncserver/rfbserver.c | 22 +++++++++++++++++++++-
dde763 
 1 file changed, 21 insertions(+), 1 deletion(-)
dde763
dde763 
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
dde763 
index 116c488..a9561fc 100644
dde763 
--- a/libvncserver/rfbserver.c
dde763 
+++ b/libvncserver/rfbserver.c
dde763 
@@ -88,6 +88,12 @@
dde763 
 #include <errno.h>
dde763 
 /* strftime() */
dde763 
 #include <time.h>
dde763 
+/* SIZE_MAX */
dde763 
+#include <stdint.h>
dde763 
+/* PRIu32 */
dde763 
+#include <inttypes.h>
dde763 
+/* INT_MAX */
dde763 
+#include <limits.h>
dde763
dde763 
 #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
dde763 
 #include "rfbssl.h"
dde763 
@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
dde763
dde763 
 	msg.cct.length = Swap32IfLE(msg.cct.length);
dde763
dde763 
-	str = (char *)malloc(msg.cct.length);
dde763 
+	/* uint32_t input is passed to malloc()'s size_t argument,
dde763 
+	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
dde763 
+	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
dde763 
+	 * argument. Here we check that the value fits into all of them to
dde763 
+	 * prevent from misinterpretation and thus from accessing uninitialized
dde763 
+	 * memory. CVE-2018-7225 */
dde763 
+	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
dde763 
+	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
dde763 
+		    msg.cct.length);
dde763 
+	    rfbCloseClient(cl);
dde763 
+	    return;
dde763 
+	}
dde763 
+
dde763 
+	/* Allow zero-length client cut text. */
dde763 
+	str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
dde763 
 	if (str == NULL) {
dde763 
 		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
dde763 
 		rfbCloseClient(cl);
dde763 
--
dde763 
2.13.6
dde763

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation