Skip to content

Commit f9a70e7

Browse files
plievenkraxel
authored andcommitted
ui/vnc: limit client_cut_text msg payload size
currently a malicious client could define a payload size of 2^32 - 1 bytes and send up to that size of data to the vnc server. The server would allocated that amount of memory which could easily create an out of memory condition. This patch limits the payload size to 1MB max. Please note that client_cut_text messages are currently silently ignored. Signed-off-by: Peter Lieven <pl@kamp.de> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 parent b3959ef commit f9a70e7

File tree

1 file changed

+10
-3
lines changed

1 file changed

+10
-3
lines changed

Diff for: ui/vnc.c

+10-3
Original file line numberDiff line numberDiff line change
@@ -2165,13 +2165,20 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
21652165
pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
21662166
break;
21672167
case VNC_MSG_CLIENT_CUT_TEXT:
2168-
if (len == 1)
2168+
if (len == 1) {
21692169
return 8;
2170-
2170+
}
21712171
if (len == 8) {
21722172
uint32_t dlen = read_u32(data, 4);
2173-
if (dlen > 0)
2173+
if (dlen > (1 << 20)) {
2174+
error_report("vnc: client_cut_text msg payload has %u bytes"
2175+
" which exceeds our limit of 1MB.", dlen);
2176+
vnc_client_error(vs);
2177+
break;
2178+
}
2179+
if (dlen > 0) {
21742180
return 8 + dlen;
2181+
}
21752182
}
21762183

21772184
client_cut_text(vs, read_u32(data, 4), data + 8);

0 commit comments

Comments
 (0)