From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34832) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1IeJ-0006Oz-IA for qemu-devel@nongnu.org; Sun, 29 Jun 2014 13:12:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X1IeE-0008JR-Bi for qemu-devel@nongnu.org; Sun, 29 Jun 2014 13:12:19 -0400 Received: from mail-qc0-f173.google.com ([209.85.216.173]:42018) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X1IeE-0008JJ-89 for qemu-devel@nongnu.org; Sun, 29 Jun 2014 13:12:14 -0400 Received: by mail-qc0-f173.google.com with SMTP id l6so6121781qcy.18 for ; Sun, 29 Jun 2014 10:12:13 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <53B003B2.2020309@kamp.de> References: <53B003B2.2020309@kamp.de> Date: Sun, 29 Jun 2014 10:12:13 -0700 Message-ID: From: Anthony Liguori Content-Type: text/plain; charset=UTF-8 Subject: Re: [Qemu-devel] possible denial of service via VNC List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Lieven Cc: Gerd Hoffmann , "qemu-devel@nongnu.org" On Sun, Jun 29, 2014 at 5:16 AM, Peter Lieven wrote: > Hi, > > while debugging a VNC issue I found this: > > case VNC_MSG_CLIENT_CUT_TEXT: > if (len == 1) > return 8; > > if (len == 8) { > uint32_t dlen = read_u32(data, 4); > if (dlen > 0) > return 8 + dlen; > } > > client_cut_text(vs, read_u32(data, 4), data + 8); > break; > > in protocol_client_msg(). > > Is this really a good idea? This allows for letting the vs->input buffer to grow > up to 2^32 + 8 byte which will possibly result in an out of memory condition. The spec allows cut operations of this size. What would a reasonable limit be? Regards, Anthony Liguori > PeterY > >