* [Qemu-devel] possible denial of service via VNC
@ 2014-06-29 12:16 Peter Lieven
2014-06-29 17:12 ` Anthony Liguori
2014-06-30 7:33 ` Gerd Hoffmann
0 siblings, 2 replies; 6+ messages in thread
From: Peter Lieven @ 2014-06-29 12:16 UTC (permalink / raw)
To: Gerd Hoffmann, qemu-devel
Hi,
while debugging a VNC issue I found this:
case VNC_MSG_CLIENT_CUT_TEXT:
if (len == 1)
return 8;
if (len == 8) {
uint32_t dlen = read_u32(data, 4);
if (dlen > 0)
return 8 + dlen;
}
client_cut_text(vs, read_u32(data, 4), data + 8);
break;
in protocol_client_msg().
Is this really a good idea? This allows for letting the vs->input buffer to grow
up to 2^32 + 8 byte which will possibly result in an out of memory condition.
Peter
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] possible denial of service via VNC
2014-06-29 12:16 [Qemu-devel] possible denial of service via VNC Peter Lieven
@ 2014-06-29 17:12 ` Anthony Liguori
2014-06-30 7:33 ` Gerd Hoffmann
1 sibling, 0 replies; 6+ messages in thread
From: Anthony Liguori @ 2014-06-29 17:12 UTC (permalink / raw)
To: Peter Lieven; +Cc: Gerd Hoffmann, qemu-devel
On Sun, Jun 29, 2014 at 5:16 AM, Peter Lieven <pl@kamp.de> wrote:
> Hi,
>
> while debugging a VNC issue I found this:
>
> case VNC_MSG_CLIENT_CUT_TEXT:
> if (len == 1)
> return 8;
>
> if (len == 8) {
> uint32_t dlen = read_u32(data, 4);
> if (dlen > 0)
> return 8 + dlen;
> }
>
> client_cut_text(vs, read_u32(data, 4), data + 8);
> break;
>
> in protocol_client_msg().
>
> Is this really a good idea? This allows for letting the vs->input buffer to grow
> up to 2^32 + 8 byte which will possibly result in an out of memory condition.
The spec allows cut operations of this size. What would a reasonable limit be?
Regards,
Anthony Liguori
> PeterY
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] possible denial of service via VNC
2014-06-29 12:16 [Qemu-devel] possible denial of service via VNC Peter Lieven
2014-06-29 17:12 ` Anthony Liguori
@ 2014-06-30 7:33 ` Gerd Hoffmann
2014-06-30 7:45 ` Peter Lieven
1 sibling, 1 reply; 6+ messages in thread
From: Gerd Hoffmann @ 2014-06-30 7:33 UTC (permalink / raw)
To: Peter Lieven; +Cc: qemu-devel
On So, 2014-06-29 at 14:16 +0200, Peter Lieven wrote:
> Hi,
>
> while debugging a VNC issue I found this:
>
> case VNC_MSG_CLIENT_CUT_TEXT:
> if (len == 1)
> return 8;
>
> if (len == 8) {
> uint32_t dlen = read_u32(data, 4);
> if (dlen > 0)
> return 8 + dlen;
> }
>
> client_cut_text(vs, read_u32(data, 4), data + 8);
> break;
>
> in protocol_client_msg().
>
> Is this really a good idea? This allows for letting the vs->input buffer to grow
> up to 2^32 + 8 byte which will possibly result in an out of memory condition.
Applying a limit there looks reasonable to me. Patches welcome.
As this is text only a megabyte should be more than enough for all
practical purposes. Question is what to do when the limit is exceeded?
Disconnect? Read & throw away?
cheers,
Gerd
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] possible denial of service via VNC
2014-06-30 7:33 ` Gerd Hoffmann
@ 2014-06-30 7:45 ` Peter Lieven
2014-06-30 7:46 ` Gerd Hoffmann
0 siblings, 1 reply; 6+ messages in thread
From: Peter Lieven @ 2014-06-30 7:45 UTC (permalink / raw)
To: Gerd Hoffmann, Peter Lieven; +Cc: qemu-devel
On 30.06.2014 09:33, Gerd Hoffmann wrote:
> On So, 2014-06-29 at 14:16 +0200, Peter Lieven wrote:
>> Hi,
>>
>> while debugging a VNC issue I found this:
>>
>> case VNC_MSG_CLIENT_CUT_TEXT:
>> if (len == 1)
>> return 8;
>>
>> if (len == 8) {
>> uint32_t dlen = read_u32(data, 4);
>> if (dlen > 0)
>> return 8 + dlen;
>> }
>>
>> client_cut_text(vs, read_u32(data, 4), data + 8);
>> break;
>>
>> in protocol_client_msg().
>>
>> Is this really a good idea? This allows for letting the vs->input buffer to grow
>> up to 2^32 + 8 byte which will possibly result in an out of memory condition.
> Applying a limit there looks reasonable to me. Patches welcome.
> As this is text only a megabyte should be more than enough for all
> practical purposes. Question is what to do when the limit is exceeded?
> Disconnect? Read & throw away?
I would also think something in the order of megabytes should be fine.
I would vote for disconnect as soon as the limit specified is too big. Otherwise
we had to rewrite the whole receive logic which could introduce additional
bugs.
Peter
--
Mit freundlichen Grüßen
Peter Lieven
...........................................................
KAMP Netzwerkdienste GmbH
Vestische Str. 89-91 | 46117 Oberhausen
Tel: +49 (0) 208.89 402-50 | Fax: +49 (0) 208.89 402-40
pl@kamp.de | http://www.kamp.de
Geschäftsführer: Heiner Lante | Michael Lante
Amtsgericht Duisburg | HRB Nr. 12154
USt-Id-Nr.: DE 120607556
...........................................................
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-06-30 7:52 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-29 12:16 [Qemu-devel] possible denial of service via VNC Peter Lieven
2014-06-29 17:12 ` Anthony Liguori
2014-06-30 7:33 ` Gerd Hoffmann
2014-06-30 7:45 ` Peter Lieven
2014-06-30 7:46 ` Gerd Hoffmann
2014-06-30 7:51 ` Peter Lieven
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.