On Sun, Sep 25, 2022 at 10:45 PM Mauro Matteo Cascella <mcasc...@redhat.com> wrote: > > Extended ClientCutText messages start with a 4-byte header. If len < 4, > an integer underflow occurs in vnc_client_cut_text_ext. The result is > used to decompress data in a while loop in inflate_buffer, leading to > CPU consumption and denial of service. Prevent this by checking dlen in > protocol_client_msg. > > Fixes: CVE-2022-3165 > Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support") > Reported-by: TangPeng <tangp...@qianxin.com> > Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com> > --- > Extended Clipboard Pseudo-Encoding: > https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding > > ui/vnc.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/ui/vnc.c b/ui/vnc.c > index 6a05d06147..acb3629cd8 100644 > --- a/ui/vnc.c > +++ b/ui/vnc.c > @@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t > *data, size_t len) > if (len == 1) { > return 8; > } > + uint32_t dlen = abs(read_s32(data, 4)); > if (len == 8) { > - uint32_t dlen = abs(read_s32(data, 4)); > if (dlen > (1 << 20)) { > error_report("vnc: client_cut_text msg payload has %u bytes" > " which exceeds our limit of 1MB.", dlen); > @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t > *data, size_t len) > } > > if (read_s32(data, 4) < 0) { > - vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), > - read_u32(data, 8), data + 12); > + if (dlen < 4) { > + error_report("vnc: malformed payload (header less than 4 > bytes)" > + " in extended clipboard pseudo-encoding."); > + vnc_client_error(vs); > + break; > + } > + vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); > break; > } > vnc_client_cut_text(vs, read_u32(data, 4), data + 8); > -- > 2.37.3 >
Any updates here? Thanks, -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0