From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35099)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <pl@kamp.de>)
	id 1X1WHc-0002h5-Hq
	for qemu-devel@nongnu.org; Mon, 30 Jun 2014 03:45:54 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pl@kamp.de>) id 1X1WHW-0005nI-Rt
	for qemu-devel@nongnu.org; Mon, 30 Jun 2014 03:45:48 -0400
Received: from mx-v6.kamp.de ([2a02:248:0:51::16]:38261 helo=mx01.kamp.de)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <pl@kamp.de>)
	id 1X1WHW-0005ly-HV
	for qemu-devel@nongnu.org; Mon, 30 Jun 2014 03:45:42 -0400
Message-ID: <53B115A0.9040602@kamp.de>
Date: Mon, 30 Jun 2014 09:45:36 +0200
From: Peter Lieven <pl@kamp.de>
MIME-Version: 1.0
References: <53B003B2.2020309@kamp.de>
	<1404113633.17465.3.camel@nilsson.home.kraxel.org>
In-Reply-To: <1404113633.17465.3.camel@nilsson.home.kraxel.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [Qemu-devel] possible denial of service via VNC
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gerd Hoffmann <kraxel@redhat.com>, Peter Lieven <pl@kamp.de>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On 30.06.2014 09:33, Gerd Hoffmann wrote:
> On So, 2014-06-29 at 14:16 +0200, Peter Lieven wrote:
>> Hi,
>>
>> while debugging a VNC issue I found this:
>>
>>      case VNC_MSG_CLIENT_CUT_TEXT:
>>          if (len == 1)
>>              return 8;
>>
>>          if (len == 8) {
>>              uint32_t dlen = read_u32(data, 4);
>>              if (dlen > 0)
>>                  return 8 + dlen;
>>          }
>>
>>          client_cut_text(vs, read_u32(data, 4), data + 8);
>>          break;
>>
>> in protocol_client_msg().
>>
>> Is this really a good idea? This allows for letting the vs->input buffer to grow
>> up to 2^32 + 8 byte which will possibly result in an out of memory condition.
> Applying a limit there looks reasonable to me.  Patches welcome.
> As this is text only a megabyte should be more than enough for all
> practical purposes.  Question is what to do when the limit is exceeded?
> Disconnect?  Read & throw away?

I would also think something in the order of megabytes should be fine.
I would vote for disconnect as soon as the limit specified is too big. Otherwise
we had to rewrite the whole receive logic which could introduce additional
bugs.

Peter

-- 

Mit freundlichen Grüßen

Peter Lieven

...........................................................

   KAMP Netzwerkdienste GmbH
   Vestische Str. 89-91 | 46117 Oberhausen
   Tel: +49 (0) 208.89 402-50 | Fax: +49 (0) 208.89 402-40
   pl@kamp.de | http://www.kamp.de

   Geschäftsführer: Heiner Lante | Michael Lante
   Amtsgericht Duisburg | HRB Nr. 12154
   USt-Id-Nr.: DE 120607556

...........................................................