rpms / libvncserver

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c8s
  2.   SOURCES
  3.   libvncserver-0.9.11-CVE-2020-14405.patch
Blob Blame History Raw 
From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Tue, 3 Nov 2020 13:44:14 -0600
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size

Addresses GitHub Security Lab (GHSL) Vulnerability Report
`GHSL-2020-063`.

Re #275
---
 libvncclient/rfbproto.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 94751a22..7ba00b55 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -73,6 +73,8 @@
 #  define snprintf _snprintf /* MSVC went straight to the underscored syntax */
 #endif
 
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
+
 /*
  * rfbClientLog prints a time-stamped message to the log file (stderr).
  */
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
               client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
           break;
       default:
+         if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+             return FALSE;
           buffer=malloc(msg.tc.length+1);
           if (!ReadFromRFBServer(client, buffer, msg.tc.length))
           {
-- 
2.28.0

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation