Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #436

Merged
merged 2 commits into from Mar 29, 2017
Merged

Fixes #436

merged 2 commits into from Mar 29, 2017

Conversation

michalsrb
Copy link
Contributor

Hi, here are two small fixes.

The length sent by client is U32, but is converted into int. If it was bigger than 0x7fffffff the resulting int is negative, it passes the check against maxCutText and later throws std::bad_alloc from CharArray which takes down the whole server.

All the Streaming API deals with lengths in ints, so we can't tell it to skip that big amount of data. And it is not realistic to expect more than 2GB of clipboard data anyway. So lets just throw rdr::Exception that will disconnect this client and keep the server alive.
They are created in SConnection's and CConnection's constructors but never destroyed.

There is no reason for the indirection, so lets make them direct members.
@CendioOssman CendioOssman merged commit dccb5f7 into TigerVNC:master Mar 29, 2017
@michalsrb michalsrb deleted the fix branch March 29, 2017 13:05
@carnil
Copy link

carnil commented Apr 1, 2017

This is CVE-2017-7395 and CVE-2017-7396 .

Specifically CVE-2017-7395 is assigned for bf3bdac and CVE-2017-7396 for dccb5f7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants