Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY: memory leak in libvncclient in ConnectToRFBRepeater function #253

Closed
PaulCher opened this issue Sep 11, 2018 · 0 comments
Closed

SECURITY: memory leak in libvncclient in ConnectToRFBRepeater function #253

PaulCher opened this issue Sep 11, 2018 · 0 comments

Comments

@PaulCher
Copy link

ConnectToRFBRepeater

libvncserver/libvncclient/rfbproto.c

Line 401 in 79516a6

snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
function leaks memory, because tmphost buffer is filled by using snprintf function, but after buffer is being sent back to client using WriteToRFBServer(client, tmphost, sizeof(tmphost)), which sent the whole tmphost buffer including its uninitialized part, which would expose uninitialized memory of client application.

Example file examples/repeater.c contains same kind of vulnerability as well.

This security issue is a result of my work at Kaspersky Lab ICS CERT Vulnerability Research Group at position of Security Researcher.

For more information about ICS CERT please contact:
ics-cert@kaspersky.com
https://ics-cert.kaspersky.com/

Best regards,
Pavel Cheremushkin
@bk138 bk138 closed this as completed in 8b06f83 Sep 29, 2018
bk138 added a commit that referenced this issue Nov 17, 2019
@bk138
When connecting to a repeater, make sure to not leak memory
d87d255 
Really closes #253
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PaulCher