qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] possible denial of service via VNC

From: Anthony Liguori
Subject: Re: [Qemu-devel] possible denial of service via VNC
Date: Sun, 29 Jun 2014 10:12:13 -0700 
On Sun, Jun 29, 2014 at 5:16 AM, Peter Lieven <address@hidden> wrote:
> Hi,
>
> while debugging a VNC issue I found this:
>
>     case VNC_MSG_CLIENT_CUT_TEXT:
>         if (len == 1)
>             return 8;
>
>         if (len == 8) {
>             uint32_t dlen = read_u32(data, 4);
>             if (dlen > 0)
>                 return 8 + dlen;
>         }
>
>         client_cut_text(vs, read_u32(data, 4), data + 8);
>         break;
>
> in protocol_client_msg().
>
> Is this really a good idea? This allows for letting the vs->input buffer to 
> grow
> up to 2^32 + 8 byte which will possibly result in an out of memory condition.

The spec allows cut operations of this size.  What would a reasonable limit be?

Regards,

Anthony Liguori

> PeterY
>
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]