|
 |
e0f39d |
From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001
|
|
|
e0f39d |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
e0f39d |
Date: Mon, 26 Feb 2018 13:48:00 +0100
|
|
|
e0f39d |
Subject: [PATCH] Validate client cut text length
|
|
|
e0f39d |
MIME-Version: 1.0
|
|
|
e0f39d |
Content-Type: text/plain; charset=UTF-8
|
|
|
e0f39d |
Content-Transfer-Encoding: 8bit
|
|
|
e0f39d |
|
|
|
e0f39d |
Client-provided unsigned 32-bit cut text length is passed to various
|
|
|
e0f39d |
functions that expects argument of a different type.
|
|
|
e0f39d |
|
|
|
e0f39d |
E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the
|
|
|
e0f39d |
RFB server leads to 4294967295 msg.cct.length value that in turn is
|
|
|
e0f39d |
interpreted as -1 by rfbReadExact() and thus uninitialized str buffer
|
|
|
e0f39d |
with potentially sensitive data is passed to subsequent functions.
|
|
|
e0f39d |
|
|
|
e0f39d |
This patch fixes it by checking for a maximal value that still can be
|
|
|
e0f39d |
processed correctly. It also corrects accepting length value of zero
|
|
|
e0f39d |
(malloc(0) is interpreted on differnet systems differently).
|
|
|
e0f39d |
|
|
|
e0f39d |
Whether a client can make the server allocate up to 2 GB and cause
|
|
|
e0f39d |
a denial of service on memory-tight systems is kept without answer.
|
|
|
e0f39d |
A possible solution would be adding an arbitrary memory limit that is
|
|
|
e0f39d |
deemed safe.
|
|
|
e0f39d |
|
|
|
e0f39d |
CVE-2018-7225
|
|
|
e0f39d |
<https://github.com/LibVNC/libvncserver/issues/218>
|
|
|
e0f39d |
|
|
|
e0f39d |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
e0f39d |
---
|
|
|
e0f39d |
libvncserver/rfbserver.c | 22 +++++++++++++++++++++-
|
|
|
e0f39d |
1 file changed, 21 insertions(+), 1 deletion(-)
|
|
|
e0f39d |
|
|
|
e0f39d |
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
|
|
e0f39d |
index 116c488..a9561fc 100644
|
|
|
e0f39d |
--- a/libvncserver/rfbserver.c
|
|
|
e0f39d |
+++ b/libvncserver/rfbserver.c
|
|
|
e0f39d |
@@ -88,6 +88,12 @@
|
|
|
e0f39d |
#include <errno.h>
|
|
|
e0f39d |
/* strftime() */
|
|
|
e0f39d |
#include <time.h>
|
|
|
e0f39d |
+/* SIZE_MAX */
|
|
|
e0f39d |
+#include <stdint.h>
|
|
|
e0f39d |
+/* PRIu32 */
|
|
|
e0f39d |
+#include <inttypes.h>
|
|
|
e0f39d |
+/* INT_MAX */
|
|
|
e0f39d |
+#include <limits.h>
|
|
|
e0f39d |
|
|
|
e0f39d |
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
|
|
|
e0f39d |
#include "rfbssl.h"
|
|
|
e0f39d |
@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
|
|
|
e0f39d |
|
|
|
e0f39d |
msg.cct.length = Swap32IfLE(msg.cct.length);
|
|
|
e0f39d |
|
|
|
e0f39d |
- str = (char *)malloc(msg.cct.length);
|
|
|
e0f39d |
+ /* uint32_t input is passed to malloc()'s size_t argument,
|
|
|
e0f39d |
+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
|
|
|
e0f39d |
+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
|
|
|
e0f39d |
+ * argument. Here we check that the value fits into all of them to
|
|
|
e0f39d |
+ * prevent from misinterpretation and thus from accessing uninitialized
|
|
|
e0f39d |
+ * memory. CVE-2018-7225 */
|
|
|
e0f39d |
+ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
|
|
e0f39d |
+ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
|
|
|
e0f39d |
+ msg.cct.length);
|
|
|
e0f39d |
+ rfbCloseClient(cl);
|
|
|
e0f39d |
+ return;
|
|
|
e0f39d |
+ }
|
|
|
e0f39d |
+
|
|
|
e0f39d |
+ /* Allow zero-length client cut text. */
|
|
|
e0f39d |
+ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
|
|
|
e0f39d |
if (str == NULL) {
|
|
|
e0f39d |
rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
|
|
|
e0f39d |
rfbCloseClient(cl);
|
|
|
e0f39d |
--
|
|
|
e0f39d |
2.13.6
|
|
|
e0f39d |
|