[PATCH] ui: reject extended clipboard message if not activated

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Fiona Ebner" <f.ebner@proxmox.com>,
	"Markus Frank" <m.frank@proxmox.com>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [PATCH] ui: reject extended clipboard message if not activated
Date: Mon, 15 Jan 2024 09:51:19 +0000	[thread overview]
Message-ID: <20240115095119.654271-1-berrange@redhat.com> (raw)

The extended clipboard message protocol requires that the client
activate the extension by requesting a psuedo encoding. If this
is not done, then any extended clipboard messages from the client
should be considered invalid and the client dropped.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

The need for fix was identified as part of investigation for
CVE-2023-6683. This does NOT, however, fix that CVE as it only
addresses one of the problem codepaths that can trigger that
CVE.

 ui/vnc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 4f23a0fa79..3b2c71e653 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
         }
 
         if (read_s32(data, 4) < 0) {
+            if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
+                error_report("vnc: extended clipboard message while disabled");
+                vnc_client_error(vs);
+                break;
+            }
             if (dlen < 4) {
                 error_report("vnc: malformed payload (header less than 4 bytes)"
                              " in extended clipboard pseudo-encoding.");
-- 
2.43.0


