| Message ID | 20220925204511.1103214-1-mcascell@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext | expand |
On Sun, Sep 25, 2022 at 10:45 PM Mauro Matteo Cascella <mcascell@redhat.com> wrote: > > Extended ClientCutText messages start with a 4-byte header. If len < 4, > an integer underflow occurs in vnc_client_cut_text_ext. The result is > used to decompress data in a while loop in inflate_buffer, leading to > CPU consumption and denial of service. Prevent this by checking dlen in > protocol_client_msg. > > Fixes: CVE-2022-3165 > Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support") > Reported-by: TangPeng <tangpeng@qianxin.com> > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > --- > Extended Clipboard Pseudo-Encoding: > https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding > > ui/vnc.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/ui/vnc.c b/ui/vnc.c > index 6a05d06147..acb3629cd8 100644 > --- a/ui/vnc.c > +++ b/ui/vnc.c > @@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) > if (len == 1) { > return 8; > } > + uint32_t dlen = abs(read_s32(data, 4)); > if (len == 8) { > - uint32_t dlen = abs(read_s32(data, 4)); > if (dlen > (1 << 20)) { > error_report("vnc: client_cut_text msg payload has %u bytes" > " which exceeds our limit of 1MB.", dlen); > @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) > } > > if (read_s32(data, 4) < 0) { > - vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), > - read_u32(data, 8), data + 12); > + if (dlen < 4) { > + error_report("vnc: malformed payload (header less than 4 bytes)" > + " in extended clipboard pseudo-encoding."); > + vnc_client_error(vs); > + break; > + } > + vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); > break; > } > vnc_client_cut_text(vs, read_u32(data, 4), data + 8); > -- > 2.37.3 > Any updates here? Thanks,
On Sun, Sep 25, 2022 at 10:45:11PM +0200, Mauro Matteo Cascella wrote: > Extended ClientCutText messages start with a 4-byte header. If len < 4, > an integer underflow occurs in vnc_client_cut_text_ext. The result is > used to decompress data in a while loop in inflate_buffer, leading to > CPU consumption and denial of service. Prevent this by checking dlen in > protocol_client_msg. > > Fixes: CVE-2022-3165 > Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support") > Reported-by: TangPeng <tangpeng@qianxin.com> > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Added to queue. thanks, Gerd
diff --git a/ui/vnc.c b/ui/vnc.c index 6a05d06147..acb3629cd8 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) if (len == 1) { return 8; } + uint32_t dlen = abs(read_s32(data, 4)); if (len == 8) { - uint32_t dlen = abs(read_s32(data, 4)); if (dlen > (1 << 20)) { error_report("vnc: client_cut_text msg payload has %u bytes" " which exceeds our limit of 1MB.", dlen); @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) } if (read_s32(data, 4) < 0) { - vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), - read_u32(data, 8), data + 12); + if (dlen < 4) { + error_report("vnc: malformed payload (header less than 4 bytes)" + " in extended clipboard pseudo-encoding."); + vnc_client_error(vs); + break; + } + vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); break; } vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
Extended ClientCutText messages start with a 4-byte header. If len < 4, an integer underflow occurs in vnc_client_cut_text_ext. The result is used to decompress data in a while loop in inflate_buffer, leading to CPU consumption and denial of service. Prevent this by checking dlen in protocol_client_msg. Fixes: CVE-2022-3165 Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support") Reported-by: TangPeng <tangpeng@qianxin.com> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> --- Extended Clipboard Pseudo-Encoding: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding ui/vnc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)