Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_te

From:	Gerd Hoffmann
Subject:	Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext
Date:	Tue, 11 Oct 2022 15:36:37 +0200

On Sun, Sep 25, 2022 at 10:45:11PM +0200, Mauro Matteo Cascella wrote:
> Extended ClientCutText messages start with a 4-byte header. If len < 4,
> an integer underflow occurs in vnc_client_cut_text_ext. The result is
> used to decompress data in a while loop in inflate_buffer, leading to
> CPU consumption and denial of service. Prevent this by checking dlen in
> protocol_client_msg.
> 
> Fixes: CVE-2022-3165
> Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
> Reported-by: TangPeng <tangpeng@qianxin.com>
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>

Added to queue.

thanks,
  Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext, Mauro Matteo Cascella, 2022/10/10
- Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext, Gerd Hoffmann <=

Prev by Date: Re: [PATCH 00/12] audio: misc. improvements and bug fixes
Next by Date: [PATCH v2] gtk: Add show_menubar=on|off command line option.
Previous by thread: Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext
Next by thread: [PATCH] migration: Fix the minus value for compressed_size
Index(es):
- Date
- Thread