From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <aliguori@us.ibm.com>
Subject: Re: [PATCH][Take 3] VNC authentification
Date: Tue, 03 Oct 2006 12:56:31 -0500
Message-ID: <4522A44F.1020700@us.ibm.com>
References: <3AAA99889D105740BE010EB6D5A5A3B202A3D2@paddington.ad.cl.cam.ac.uk>	<JX200609291747343.1765484@jp.fujitsu.com>	<20060929221145.GE8564@redhat.com>	<JH200610010353334.2150046@jp.fujitsu.com>	<20061002162232.GB1730@redhat.com>	<45214B54.8060805@us.ibm.com>
	<20061002181231.GC1730@redhat.com>	<3AAA99889D105740BE010EB6D5A5A3B202A4F0@paddington.ad.cl.cam.ac.uk>
	<JZ200610040108511.216281@jp.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <JZ200610040108511.216281@jp.fujitsu.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Masami Watanabe <masami.watanabe@jp.fujitsu.com>
Cc: Ian Pratt <m+Ian.Pratt@cl.cam.ac.uk>, xen-devel@lists.xensource.com, "Daniel P. Berrange" <berrange@redhat.com>
List-Id: xen-devel@lists.xenproject.org

Masami Watanabe wrote:
> +static int vnc_auth(VncState *vs)
> +{
> +    extern char vncpasswd[64];
> +    extern unsigned char challenge[AUTHCHALLENGESIZE];
> +
> +    if (*vncpasswd == '\0') {
> +	/* AuthType is None */
> +	vnc_write_u32(vs, 1);
> +	vnc_flush(vs);
> +	vnc_read_when(vs, protocol_client_init, 1);
> +    } else {
> +	/* AuthType is VncAuth */
> +	vnc_write_u32(vs, 2);
> +	vnc_flush(vs);
> +
> +	/* Read AuthType */
> +	vnc_read_when(vs, protocol_authtype, 1);
>   

As I mentioned before, you cannot have to vnc_read_when()'s execution 
path without returning the the mainloop.

protocol_authtype() cannot possibly be invoked.  If the code is working 
now, it's pure luck.

There was just a very high profile RealVNC vulnerability that was due to 
improper authtype handling.  It's very important we do this right so we 
don't duplicate this bug.

Regards,

Anthony Liguori

> +	/* Send Challenge */
> +	make_challenge(challenge, AUTHCHALLENGESIZE);
> +	vnc_write(vs, challenge, AUTHCHALLENGESIZE);
> +	vnc_flush(vs);
> +
> +	/* Read Responce */
> +	vnc_read_when(vs, protocol_response, AUTHCHALLENGESIZE);
> +    }
> +
> +    return 0;
> +}
>   


> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>