From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 6 Mar 2018 11:58:02 +0100
Subject: [PATCH] Limit client cut text length to 1 MB
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch constrains client text length to 1 MB. Otherwise a client
could make server allocate 2 GB of memory and that seems to be to much
to classify it as denial of service.

I keep the previous checks for maximal type values intentionally as
a course of defensive coding. (You cannot never know how small the
types are. And as a warning for people patching out this change not to
introduce CVE-2018-7225 again.)

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 libvncserver/rfbserver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index a9561fc..0027343 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
 	 * argument. Here we check that the value fits into all of them to
 	 * prevent from misinterpretation and thus from accessing uninitialized
 	 * memory. CVE-2018-7225 */
-	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
+	/* But first to prevent from a denial-of-service by allocating to much
+	 * memory in the server, we impose a limit of 1 MB. */
+	if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
 	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
 		    msg.cct.length);
 	    rfbCloseClient(cl);
-- 
2.13.6