Skip to content

Commit e34bcbb

Browse files
committed
LibVNCClient: ignore server-sent reason strings longer than 1MB
Fixes #273
1 parent c5ba3fe commit e34bcbb

File tree

1 file changed

+21
-24
lines changed

1 file changed

+21
-24
lines changed

Diff for: libvncclient/rfbproto.c

+21-24
Original file line numberDiff line numberDiff line change
@@ -412,11 +412,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
412412
extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd);
413413
extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key);
414414

415+
static void
416+
ReadReason(rfbClient* client)
417+
{
418+
uint32_t reasonLen;
419+
char *reason;
420+
421+
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
422+
reasonLen = rfbClientSwap32IfLE(reasonLen);
423+
if(reasonLen > 1<<20) {
424+
rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen);
425+
return;
426+
}
427+
reason = malloc(reasonLen+1);
428+
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
429+
reason[reasonLen]=0;
430+
rfbClientLog("VNC connection failed: %s\n",reason);
431+
free(reason);
432+
}
433+
415434
rfbBool
416435
rfbHandleAuthResult(rfbClient* client)
417436
{
418-
uint32_t authResult=0, reasonLen=0;
419-
char *reason=NULL;
437+
uint32_t authResult=0;
420438

421439
if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE;
422440

@@ -431,13 +449,7 @@ rfbHandleAuthResult(rfbClient* client)
431449
if (client->major==3 && client->minor>7)
432450
{
433451
/* we have an error following */
434-
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
435-
reasonLen = rfbClientSwap32IfLE(reasonLen);
436-
reason = malloc((uint64_t)reasonLen+1);
437-
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
438-
reason[reasonLen]=0;
439-
rfbClientLog("VNC connection failed: %s\n",reason);
440-
free(reason);
452+
ReadReason(client);
441453
return FALSE;
442454
}
443455
rfbClientLog("VNC authentication failed\n");
@@ -452,21 +464,6 @@ rfbHandleAuthResult(rfbClient* client)
452464
return FALSE;
453465
}
454466

455-
static void
456-
ReadReason(rfbClient* client)
457-
{
458-
uint32_t reasonLen;
459-
char *reason;
460-
461-
/* we have an error following */
462-
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
463-
reasonLen = rfbClientSwap32IfLE(reasonLen);
464-
reason = malloc((uint64_t)reasonLen+1);
465-
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
466-
reason[reasonLen]=0;
467-
rfbClientLog("VNC connection failed: %s\n",reason);
468-
free(reason);
469-
}
470467

471468
static rfbBool
472469
ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth)

0 commit comments

Comments
 (0)