Re: [Qemu-devel] possible denial of service via VNC

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] possible denial of service via VNC

From:	Gerd Hoffmann
Subject:	Re: [Qemu-devel] possible denial of service via VNC
Date:	Mon, 30 Jun 2014 09:33:53 +0200

On So, 2014-06-29 at 14:16 +0200, Peter Lieven wrote:
> Hi,
> 
> while debugging a VNC issue I found this:
> 
>     case VNC_MSG_CLIENT_CUT_TEXT:
>         if (len == 1)
>             return 8;
> 
>         if (len == 8) {
>             uint32_t dlen = read_u32(data, 4);
>             if (dlen > 0)
>                 return 8 + dlen;
>         }
> 
>         client_cut_text(vs, read_u32(data, 4), data + 8);
>         break;
> 
> in protocol_client_msg().
> 
> Is this really a good idea? This allows for letting the vs->input buffer to 
> grow
> up to 2^32 + 8 byte which will possibly result in an out of memory condition.

Applying a limit there looks reasonable to me.  Patches welcome.
As this is text only a megabyte should be more than enough for all
practical purposes.  Question is what to do when the limit is exceeded?
Disconnect?  Read & throw away?

cheers,
  Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] possible denial of service via VNC, Peter Lieven, 2014/06/29
- Re: [Qemu-devel] possible denial of service via VNC, Anthony Liguori, 2014/06/29
- Re: [Qemu-devel] possible denial of service via VNC, Gerd Hoffmann <=
  - Re: [Qemu-devel] possible denial of service via VNC, Peter Lieven, 2014/06/30
    - Re: [Qemu-devel] possible denial of service via VNC, Gerd Hoffmann, 2014/06/30
    - Re: [Qemu-devel] possible denial of service via VNC, Peter Lieven, 2014/06/30

Prev by Date: Re: [Qemu-devel] [PATCH 0/4] ui/cocoa: Fix absolute positioning and other bugs
Next by Date: Re: [Qemu-devel] possible denial of service via VNC
Previous by thread: Re: [Qemu-devel] possible denial of service via VNC
Next by thread: Re: [Qemu-devel] possible denial of service via VNC
Index(es):
- Date
- Thread