From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LXabt-0003Sf-B5 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 07:24:05 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LXabr-0003ST-4o for qemu-devel@nongnu.org; Thu, 12 Feb 2009 07:24:03 -0500 Received: from [199.232.76.173] (port=56373 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LXabr-0003SQ-0X for qemu-devel@nongnu.org; Thu, 12 Feb 2009 07:24:03 -0500 Received: from mx1.redhat.com ([66.187.233.31]:60990) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LXabq-0001Dm-Mi for qemu-devel@nongnu.org; Thu, 12 Feb 2009 07:24:02 -0500 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CCO2mN011333 for ; Thu, 12 Feb 2009 07:24:02 -0500 Received: from file.fab.redhat.com (file.fab.redhat.com [10.33.63.6]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CCO3am020500 for ; Thu, 12 Feb 2009 07:24:04 -0500 Received: from file.fab.redhat.com (localhost.localdomain [127.0.0.1]) by file.fab.redhat.com (8.13.1/8.13.1) with ESMTP id n1CCO0g6024823 for ; Thu, 12 Feb 2009 12:24:00 GMT Received: (from berrange@localhost) by file.fab.redhat.com (8.13.1/8.13.1/Submit) id n1CCO0Wh024819 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 12:24:00 GMT Date: Thu, 12 Feb 2009 12:24:00 +0000 From: "Daniel P. Berrange" Message-ID: <20090212122400.GL9894@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: [Qemu-devel] PATCH: Fix edge case bug in VNC server TLS auth Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Just discovered a nasty little edge case bug in the VNC server TLS auth code. In the case where the TLS handshake does *not* block on I/O, QEMU sends the next 'start sub-auth' message twice. This seriously confuses the VNC client :-) Fortunately the chances of the handshake not blocking are close to zero for a TCP socket, which is why it has not been noticed thus far. Even with both client & server on localhost, I can only hit the bug 1 time in 20. NB, the diff context here is not too informative. If you look at the full code you'll see that a few lines early we called vnc_start_tls() which called vnc_continue_handshake() which called the method start_auth_vencrypt_subauth(). Hence, fixing the bug, just involves removing the 2nd bogus call to start_auth_vencrypt_subauth() as per this patch. Signed-off-by: Daniel P. Berrange Daniel diff -r da9abc900b0e vnc.c --- a/vnc.c Tue Feb 10 18:46:57 2009 +0000 +++ b/vnc.c Wed Feb 11 17:31:25 2009 +0000 @@ -2049,14 +2049,6 @@ static int protocol_client_vencrypt_auth VNC_DEBUG("Failed to complete TLS\n"); return 0; } - - if (vs->wiremode == VNC_WIREMODE_TLS) { - VNC_DEBUG("Starting VeNCrypt subauth\n"); - return start_auth_vencrypt_subauth(vs); - } else { - VNC_DEBUG("TLS handshake blocked\n"); - return 0; - } } return 0; } -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|