From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46221) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1W6K-0000tK-5O for qemu-devel@nongnu.org; Mon, 30 Jun 2014 03:34:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X1W6E-0006zY-0T for qemu-devel@nongnu.org; Mon, 30 Jun 2014 03:34:08 -0400 Received: from mx1.redhat.com ([209.132.183.28]:26344) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1W6D-0006zC-O8 for qemu-devel@nongnu.org; Mon, 30 Jun 2014 03:34:01 -0400 Message-ID: <1404113633.17465.3.camel@nilsson.home.kraxel.org> From: Gerd Hoffmann Date: Mon, 30 Jun 2014 09:33:53 +0200 In-Reply-To: <53B003B2.2020309@kamp.de> References: <53B003B2.2020309@kamp.de> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] possible denial of service via VNC List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Lieven Cc: "qemu-devel@nongnu.org" On So, 2014-06-29 at 14:16 +0200, Peter Lieven wrote: > Hi, > > while debugging a VNC issue I found this: > > case VNC_MSG_CLIENT_CUT_TEXT: > if (len == 1) > return 8; > > if (len == 8) { > uint32_t dlen = read_u32(data, 4); > if (dlen > 0) > return 8 + dlen; > } > > client_cut_text(vs, read_u32(data, 4), data + 8); > break; > > in protocol_client_msg(). > > Is this really a good idea? This allows for letting the vs->input buffer to grow > up to 2^32 + 8 byte which will possibly result in an out of memory condition. Applying a limit there looks reasonable to me. Patches welcome. As this is text only a megabyte should be more than enough for all practical purposes. Question is what to do when the limit is exceeded? Disconnect? Read & throw away? cheers, Gerd