From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 6 Mar 2018 11:58:02 +0100 Subject: [PATCH] Limit client cut text length to 1 MB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch constrains client text length to 1 MB. Otherwise a client could make server allocate 2 GB of memory and that seems to be to much to classify it as denial of service. I keep the previous checks for maximal type values intentionally as a course of defensive coding. (You cannot never know how small the types are. And as a warning for people patching out this change not to introduce CVE-2018-7225 again.) Signed-off-by: Petr Písař --- libvncserver/rfbserver.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index a9561fc..0027343 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) * argument. Here we check that the value fits into all of them to * prevent from misinterpretation and thus from accessing uninitialized * memory. CVE-2018-7225 */ - if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { + /* But first to prevent from a denial-of-service by allocating to much + * memory in the server, we impose a limit of 1 MB. */ + if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", msg.cct.length); rfbCloseClient(cl); -- 2.13.6