From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39780)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YdIpM-0000C8-7T
	for qemu-devel@nongnu.org; Wed, 01 Apr 2015 09:37:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YdIpJ-0003pX-6U
	for qemu-devel@nongnu.org; Wed, 01 Apr 2015 09:37:04 -0400
Received: from mx1.redhat.com ([209.132.183.28]:58589)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YdIpI-0003pM-Vn
	for qemu-devel@nongnu.org; Wed, 01 Apr 2015 09:37:01 -0400
Message-ID: <1427895415.6445.8.camel@nilsson.home.kraxel.org>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 01 Apr 2015 15:36:55 +0200
In-Reply-To: <CAFEAcA_o109BTHjDyoKMYUxjboGgzyu3TU9a5854m=Ymygbnbw@mail.gmail.com>
References: <1427151502-14386-1-git-send-email-berrange@redhat.com>
	<1427151502-14386-2-git-send-email-berrange@redhat.com>
	<CAFEAcA_o109BTHjDyoKMYUxjboGgzyu3TU9a5854m=Ymygbnbw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode
 websocket frames
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>

  Hi,

> > +    if (input->offset < *payload_remain) {
> > +        *payload_size = input->offset - (input->offset % 4);
> > +    } else {
> > +        *payload_size = input->offset;
> 
> This can set *payload_size to a value larger than
> *payload_remain, if the input buffer happens to contain
> further data after the end of this packet...
> 
> > +    }
> > +    if (*payload_size == 0) {
> >          return 0;
> >      }
> > -
> > -    *payload = input->buffer + header_size;
> > +    *payload_remain -= *payload_size;
> 
> ...at which point this will end up making
> *payload_remain negative. Disconnection happens shortly
> afterwards.
> 
> Should the line
>     *payload_size = input->offset;
> actually read
>     *payload_size = *payload_remain;
> 
> ?
> 
> Making that change appears to fix the novnc disconnects
> that Gerd reports.

Confirmed.  Fixes the issues I've seen in testing and looks sensible to
me.  Comment from Daniel would be nice, especially as I know next to
nothing about websockets, but he seems to be off into the easter
holidays already.

So, with -rc2 waiting for this (and being late already) I think I'll
squash in the incremental fix and prepare a pull request even without
Daniels ack ...

cheers,
  Gerd