From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38290) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YaBJ5-0006OC-Gs for qemu-devel@nongnu.org; Mon, 23 Mar 2015 18:58:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YaBJ2-0006gX-9x for qemu-devel@nongnu.org; Mon, 23 Mar 2015 18:58:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53071) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YaBJ2-0006gP-39 for qemu-devel@nongnu.org; Mon, 23 Mar 2015 18:58:48 -0400 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t2NMwkm2023937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 23 Mar 2015 18:58:46 -0400 From: "Daniel P. Berrange" Date: Mon, 23 Mar 2015 22:58:20 +0000 Message-Id: <1427151502-14386-1-git-send-email-berrange@redhat.com> Subject: [Qemu-devel] [PATCH 0/2] CVE-2015-1779: fix denial of service in VNC websockets List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Gerd Hoffmann The VNC websockets protocol decoder has two places where it did not correctly limit its resource usage when processing data from the client. This can be abused by a malicious client to cause QEMU to consume all system memory, unless it is otherwise limited by ulimits and/or cgroups. These problems can be triggered in the websockets layer before the VNC protocol actually starts, so no client authentication will have taken place at this point. Daniel P. Berrange (2): CVE-2015-1779: incrementally decode websocket frames CVE-2015-1779: limit size of HTTP headers from websockets clients ui/vnc-ws.c | 115 +++++++++++++++++++++++++++++++++++++++++------------------- ui/vnc-ws.h | 9 +++-- ui/vnc.h | 2 ++ 3 files changed, 88 insertions(+), 38 deletions(-) -- 2.1.0