[Qemu-devel] PATCH: Fix edge case bug in VNC server TLS auth

[Qemu-devel] PATCH: Fix edge case bug in VNC server TLS auth

[Daniel P. Berrange]

Just discovered a nasty little edge case bug in the VNC server TLS auth
code. In the case where the TLS handshake does *not* block on I/O, QEMU
sends the next 'start sub-auth' message twice. This seriously confuses
the VNC client :-) Fortunately the chances of the handshake not blocking
are close to zero for a TCP socket, which is why it has not been noticed
thus far. Even with both client & server on localhost, I can only hit the
bug 1 time in 20.

NB, the diff context here is not too informative. If you look at the
full code you'll see that a few lines early we called vnc_start_tls()
which called vnc_continue_handshake() which called the method
start_auth_vencrypt_subauth(). Hence, fixing the bug, just involves
removing the 2nd bogus call to start_auth_vencrypt_subauth() as per
this patch.

 Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Daniel

diff -r da9abc900b0e vnc.c
--- a/vnc.c	Tue Feb 10 18:46:57 2009 +0000
+++ b/vnc.c	Wed Feb 11 17:31:25 2009 +0000
@@ -2049,14 +2049,6 @@ static int protocol_client_vencrypt_auth
 	    VNC_DEBUG("Failed to complete TLS\n");
 	    return 0;
 	}
-
-	if (vs->wiremode == VNC_WIREMODE_TLS) {
-	    VNC_DEBUG("Starting VeNCrypt subauth\n");
-	    return start_auth_vencrypt_subauth(vs);
-	} else {
-	    VNC_DEBUG("TLS handshake blocked\n");
-	    return 0;
-	}
     }
     return 0;
 }


-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|