aboutsummaryrefslogtreecommitdiffstats
path: root/main/libvncserver/CVE-2018-7225.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libvncserver/CVE-2018-7225.patch')
-rw-r--r--main/libvncserver/CVE-2018-7225.patch63
1 files changed, 63 insertions, 0 deletions
diff --git a/main/libvncserver/CVE-2018-7225.patch b/main/libvncserver/CVE-2018-7225.patch
new file mode 100644
index 0000000000..08ae206475
--- /dev/null
+++ b/main/libvncserver/CVE-2018-7225.patch
@@ -0,0 +1,63 @@
+From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 26 Feb 2018 13:48:00 +0100
+Subject: [PATCH] Limit client cut text length to 1 MB
+
+This patch constrains a client cut text length to 1 MB. Otherwise
+a client could make server allocate 2 GB of memory and that seems to
+be to much to classify it as a denial of service.
+
+The limit also prevents from an integer overflow followed by copying
+an uninitilized memory when processing msg.cct.length value larger
+than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg.
+
+This patch also corrects accepting length value of zero (malloc(0) is
+interpreted on differnet systems differently).
+
+CVE-2018-7225
+<https://github.com/LibVNC/libvncserver/issues/218>
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 116c488..4fc4d9d 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -85,6 +88,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
++/* PRIu32 */
++#include <inttypes.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -2577,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
+
+ msg.cct.length = Swap32IfLE(msg.cct.length);
+
+- str = (char *)malloc(msg.cct.length);
++ /* uint32_t input is passed to malloc()'s size_t argument,
++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++ * argument. Here we impose a limit of 1 MB so that the value fits
++ * into all of the types to prevent from misinterpretation and thus
++ * from accessing uninitialized memory (CVE-2018-7225) and also to
++ * prevent from a denial-of-service by allocating to much memory in
++ * the server. */
++ if (msg.cct.length > 1<<20) {
++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++ msg.cct.length);
++ rfbCloseClient(cl);
++ return;
++ }
++
++ /* Allow zero-length client cut text. */
++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ rfbCloseClient(cl);
+--
+2.17.0
+