From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48121)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <pl@kamp.de>)
	id 1X1E2c-0007ok-Cd
	for qemu-devel@nongnu.org; Sun, 29 Jun 2014 08:17:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pl@kamp.de>) id 1X1E2S-00038G-5d
	for qemu-devel@nongnu.org; Sun, 29 Jun 2014 08:17:06 -0400
Received: from mx-v6.kamp.de ([2a02:248:0:51::16]:48782 helo=mx01.kamp.de)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <pl@kamp.de>)
	id 1X1E2R-00031y-Qi
	for qemu-devel@nongnu.org; Sun, 29 Jun 2014 08:16:56 -0400
Message-ID: <53B003B2.2020309@kamp.de>
Date: Sun, 29 Jun 2014 14:16:50 +0200
From: Peter Lieven <pl@kamp.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] possible denial of service via VNC
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gerd Hoffmann <kraxel@redhat.com>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

Hi,

while debugging a VNC issue I found this:

    case VNC_MSG_CLIENT_CUT_TEXT:
        if (len == 1)
            return 8;

        if (len == 8) {
            uint32_t dlen = read_u32(data, 4);
            if (dlen > 0)
                return 8 + dlen;
        }

        client_cut_text(vs, read_u32(data, 4), data + 8);
        break;

in protocol_client_msg().

Is this really a good idea? This allows for letting the vs->input buffer to grow
up to 2^32 + 8 byte which will possibly result in an out of memory condition.

Peter