currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.
This patch limits the payload size to 1MB max.
Please note that client_cut_text messages are currently
silently ignored.
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Above is
f9a70e79391f in qemu upstream.
Cherry picked onto in qemu-xen-4.6-testing and qemu-xen-unstable:
Conflicts:
ui/vnc.c
Dropped { } style changes.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Above is
2b5684137e81 in qemu-xen-4.6-testing and qemu-xen-unstable,
now being cherry picked onto qemu-xen-4.5-testing. Also need
1c8d43cbdf0f, its fixup patch:
We do not have `error_report'. Use fprintf to stderr, like the rest
of the file.
Fix commit message to refer to vnc.c, not ui/vnc.c.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
(cherry picked from commit
dfe880e8d5fdc863ce6bbcdcaebaf918f8689cc0)
(cherry picked from commit
5ae0569d964ad1a6d8dc781e5566d39210a5d063)
(cherry picked from commit
1e5099d596b6f7a977d4bc040a54edc2a6a3c6a4)
if (len == 8) {
uint32_t v;
v = read_u32(data, 4);
if (len == 8) {
uint32_t v;
v = read_u32(data, 4);
+ if (v > (1 << 20)) {
+ fprintf(stderr, "vnc: client_cut_text msg payload has %u bytes"
+ " which exceeds our limit of 1MB.\n", v);
+ vnc_client_error(vs);
+ break;
+ }
projects / qemu-xen-4.2-testing.git / commitdiff