[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_te
From: |
Gerd Hoffmann |
Subject: |
Re: [PATCH] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext |
Date: |
Tue, 11 Oct 2022 15:36:37 +0200 |
On Sun, Sep 25, 2022 at 10:45:11PM +0200, Mauro Matteo Cascella wrote:
> Extended ClientCutText messages start with a 4-byte header. If len < 4,
> an integer underflow occurs in vnc_client_cut_text_ext. The result is
> used to decompress data in a while loop in inflate_buffer, leading to
> CPU consumption and denial of service. Prevent this by checking dlen in
> protocol_client_msg.
>
> Fixes: CVE-2022-3165
> Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
> Reported-by: TangPeng <tangpeng@qianxin.com>
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Added to queue.
thanks,
Gerd