Skip to content

Commit 09e8fc0

Browse files
committed
Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
This ammends 15bb719 fix for a heap out-of-bound write access in rfbProcessFileTransferReadBuffer() when reading a transfered file content in a server. The former fix did not work on platforms with a 32-bit int type (expected by rfbReadExact()). CVE-2018-15127 <#243> <#273>
1 parent 0a70095 commit 09e8fc0

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

Diff for: libvncserver/rfbserver.c

+6-1
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,8 @@
8888
#include <errno.h>
8989
/* strftime() */
9090
#include <time.h>
91+
/* INT_MAX */
92+
#include <limits.h>
9193

9294
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
9395
#include "rfbssl.h"
@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
14721474
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
14731475
will safely be allocated since this check will never trigger and malloc() can digest length+1
14741476
without problems as length is a uint32_t.
1477+
We also later pass length to rfbReadExact() that expects a signed int type and
1478+
that might wrap on platforms with a 32-bit int type if length is bigger
1479+
than 0X7FFFFFFF.
14751480
*/
1476-
if(length == SIZE_MAX) {
1481+
if(length == SIZE_MAX || length > INT_MAX) {
14771482
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
14781483
rfbCloseClient(cl);
14791484
return NULL;

0 commit comments

Comments
 (0)