ia64/xen-unstable

changeset 11632:ca3abb3804f4

[HVM][VNC] Make sure that qemu doesn't go into an infinite loop when
it receives certain invalid requests from the viewer.

Signed-off-by: Steven Smith <sos22@cam.ac.uk>
author Steven Smith <ssmith@xensource.com>
date Tue Sep 26 16:46:47 2006 +0100 (2006-09-26)
parents 7fca81d456b2
children a1154318cd80
files tools/ioemu/vnc.c
line diff
     1.1 --- a/tools/ioemu/vnc.c	Tue Sep 26 16:45:52 2006 +0100
     1.2 +++ b/tools/ioemu/vnc.c	Tue Sep 26 16:46:47 2006 +0100
     1.3 @@ -26,6 +26,7 @@
     1.4  
     1.5  #include "vl.h"
     1.6  #include "qemu_socket.h"
     1.7 +#include <assert.h>
     1.8  
     1.9  /* The refresh interval starts at BASE.  If we scan the buffer and
    1.10     find no change, we increase by INC, up to MAX.  If the mouse moves
    1.11 @@ -728,8 +729,10 @@ static void vnc_client_read(void *opaque
    1.12  	    memmove(vs->input.buffer, vs->input.buffer + len,
    1.13  		    vs->input.offset - len);
    1.14  	    vs->input.offset -= len;
    1.15 -	} else
    1.16 +	} else {
    1.17 +	    assert(ret > vs->read_handler_expect);
    1.18  	    vs->read_handler_expect = ret;
    1.19 +	}
    1.20      }
    1.21  }
    1.22  
    1.23 @@ -1076,8 +1079,12 @@ static int protocol_client_msg(VncState 
    1.24  	if (len == 1)
    1.25  	    return 4;
    1.26  
    1.27 -	if (len == 4)
    1.28 -	    return 4 + (read_u16(data, 2) * 4);
    1.29 +	if (len == 4) {
    1.30 +	    uint16_t v;
    1.31 +	    v = read_u16(data, 2);
    1.32 +	    if (v)
    1.33 +		return 4 + v * 4;
    1.34 +	}
    1.35  
    1.36  	limit = read_u16(data, 2);
    1.37  	for (i = 0; i < limit; i++) {
    1.38 @@ -1117,8 +1124,12 @@ static int protocol_client_msg(VncState 
    1.39  	if (len == 1)
    1.40  	    return 8;
    1.41  
    1.42 -	if (len == 8)
    1.43 -	    return 8 + read_u32(data, 4);
    1.44 +	if (len == 8) {
    1.45 +	    uint32_t v;
    1.46 +	    v = read_u32(data, 4);
    1.47 +	    if (v)
    1.48 +		return 8 + 4;
    1.49 +	}
    1.50  
    1.51  	client_cut_text(vs, read_u32(data, 4), data + 8);
    1.52  	break;