From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42835)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Yd0Be-0001f8-5A
	for qemu-devel@nongnu.org; Tue, 31 Mar 2015 13:42:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Yd0Ba-0004Aa-Tn
	for qemu-devel@nongnu.org; Tue, 31 Mar 2015 13:42:50 -0400
Received: from mail-ig0-f176.google.com ([209.85.213.176]:36080)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Yd0Ba-0004AK-PV
	for qemu-devel@nongnu.org; Tue, 31 Mar 2015 13:42:46 -0400
Received: by igbud6 with SMTP id ud6so25413878igb.1
	for <qemu-devel@nongnu.org>; Tue, 31 Mar 2015 10:42:46 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <1427151502-14386-2-git-send-email-berrange@redhat.com>
References: <1427151502-14386-1-git-send-email-berrange@redhat.com>
	<1427151502-14386-2-git-send-email-berrange@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 31 Mar 2015 18:42:25 +0100
Message-ID: <CAFEAcA_o109BTHjDyoKMYUxjboGgzyu3TU9a5854m=Ymygbnbw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode
 websocket frames
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: QEMU Developers <qemu-devel@nongnu.org>, Gerd Hoffmann <kraxel@redhat.com>

On 23 March 2015 at 22:58, Daniel P. Berrange <berrange@redhat.com> wrote:
> +int vncws_decode_frame_payload(Buffer *input,
> +                               size_t *payload_remain, WsMask *payload_mask,
> +                               uint8_t **payload, size_t *payload_size)
> +{
> +    size_t i;
> +    uint32_t *payload32;
>
> -    if (input->offset < *frame_size) {
> -        /* frame not complete */
> +    *payload = input->buffer;
> +    /* If we aren't at the end of the payload, then drop
> +     * off the last bytes, so we're always multiple of 4
> +     * for purpose of unmasking, except at end of payload
> +     */
> +    if (input->offset < *payload_remain) {
> +        *payload_size = input->offset - (input->offset % 4);
> +    } else {
> +        *payload_size = input->offset;

This can set *payload_size to a value larger than
*payload_remain, if the input buffer happens to contain
further data after the end of this packet...

> +    }
> +    if (*payload_size == 0) {
>          return 0;
>      }
> -
> -    *payload = input->buffer + header_size;
> +    *payload_remain -= *payload_size;

...at which point this will end up making
*payload_remain negative. Disconnection happens shortly
afterwards.

Should the line
    *payload_size = input->offset;
actually read
    *payload_size = *payload_remain;

?

Making that change appears to fix the novnc disconnects
that Gerd reports.

thanks
-- PMM