From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33668) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YdJqb-0006QD-Qg for qemu-devel@nongnu.org; Wed, 01 Apr 2015 10:42:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YdJqX-0007WD-RB for qemu-devel@nongnu.org; Wed, 01 Apr 2015 10:42:25 -0400 Received: from mail-ig0-f177.google.com ([209.85.213.177]:36611) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YdJqX-0007W4-Md for qemu-devel@nongnu.org; Wed, 01 Apr 2015 10:42:21 -0400 Received: by igbud6 with SMTP id ud6so49859088igb.1 for ; Wed, 01 Apr 2015 07:42:21 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <1427897475-26983-1-git-send-email-kraxel@redhat.com> References: <1427897475-26983-1-git-send-email-kraxel@redhat.com> From: Peter Maydell Date: Wed, 1 Apr 2015 15:42:01 +0100 Message-ID: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PULL for-2.3 0/2] vnc: fix websocket security issues (cve-2015-1779). List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gerd Hoffmann Cc: QEMU Developers On 1 April 2015 at 15:11, Gerd Hoffmann wrote: > Hi, > > $subject says all, here are the cve-2015-1779 fixes for vnc websockets > from Daniel P. Berrange for 2.3-rc2. > > please pull, > Gerd > > The following changes since commit 054903a832b865eb5432d79b5c9d1e1ff31b58= d7: > > Update version for v2.3.0-rc1 release (2015-03-24 16:34:16 +0000) > > are available in the git repository at: > > git://git.kraxel.org/qemu tags/pull-cve-2015-1779-20150401-1 > > for you to fetch changes up to 9cf222fd4fd3f4d1f959685c061279d0673726cd: > > CVE-2015-1779: limit size of HTTP headers from websockets clients (2015= -04-01 15:48:52 +0200) > > ---------------------------------------------------------------- > vnc: fix websocket security issues (cve-2015-1779). > > ---------------------------------------------------------------- > Daniel P. Berrange (2): > CVE-2015-1779: incrementally decode websocket frames > CVE-2015-1779: limit size of HTTP headers from websockets clients Oops, this doesn't build on 32 bit: /root/qemu/ui/vnc-ws.c: In function =E2=80=98vnc_client_read_ws=E2=80=99: /root/qemu/ui/vnc-ws.c:133:45: error: passing argument 3 of =E2=80=98vncws_decode_frame_header=E2=80=99 from incompatible pointer type = [-Werror] In file included from /root/qemu/ui/vnc.h:112:0, from /root/qemu/ui/vnc-ws.c:21: /root/qemu/ui/vnc-ws.h:86:5: note: expected =E2=80=98size_t *=E2=80=99 but = argument is of type =E2=80=98uint64_t *=E2=80=99 /root/qemu/ui/vnc-ws.c:145:46: error: passing argument 2 of =E2=80=98vncws_decode_frame_payload=E2=80=99 from incompatible pointer type= [-Werror] In file included from /root/qemu/ui/vnc.h:112:0, from /root/qemu/ui/vnc-ws.c:21: /root/qemu/ui/vnc-ws.h:90:5: note: expected =E2=80=98size_t *=E2=80=99 but = argument is of type =E2=80=98uint64_t *=E2=80=99 cc1: all warnings being treated as errors Making the payload_remain arguments to the two functions be uint64_t rather than size_t seems to fix this. The other approach is to change the VncState::ws_payload_remain field from uint64_t to size_t. I haven't looked through the ramifications of this enough to recommend one over the other. Since we need to respin anyway, can you add the effects of not having the fixes (ie "frequent spurious disconnects", "fails to build on 32-bit systems") to the commit message too? thanks -- PMM