[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] possible denial of service via VNC
From: |
Peter Lieven |
Subject: |
[Qemu-devel] possible denial of service via VNC |
Date: |
Sun, 29 Jun 2014 14:16:50 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 |
Hi,
while debugging a VNC issue I found this:
case VNC_MSG_CLIENT_CUT_TEXT:
if (len == 1)
return 8;
if (len == 8) {
uint32_t dlen = read_u32(data, 4);
if (dlen > 0)
return 8 + dlen;
}
client_cut_text(vs, read_u32(data, 4), data + 8);
break;
in protocol_client_msg().
Is this really a good idea? This allows for letting the vs->input buffer to grow
up to 2^32 + 8 byte which will possibly result in an out of memory condition.
Peter
- [Qemu-devel] possible denial of service via VNC,
Peter Lieven <=