Ewan
> I'm running VNC 3.3.3r2 under Solaris.
>
> If I have a client watching my session and someone telnets to port 5901
> (corresponding to my display :1), my client hangs until the telnet session
> stops.
>
> This seems like a rather easy denial-of-service attack. Am I doing
> something wrong?
No - it's not you. The http port is a similarly vulnerable d-o-s target.
The hang happens because Xvnc receives some bytes (when your telnetting
friend hits <return>) and enters a blocking read for the client's RFB
protocol/version. When 12 bytes have been received the telnet session
will (almost always) be unceremoniously disconnected with Xvnc reporting
"not a valid RFB client".
The hang can also happen anytime with a valid RFB client if the client
or the intervening network is slow/suspended. We found this a big
problem when sharing Xvnc across continents (well, between GB and europe
at least).
I have just completed mods. which fix this in Xvnc 3.3.3r2 .
Reads/writes are buffered and non blocking; the server is no longer
suspended by an unresponsive client. A compile time constant limits how
much is buffered before a client gets disconnected. It works. There are
about 2000 more lines of source in "hw/vnc/" - but these are
conditionally compiled alternatives to ReadExact()/WriteExact() and
there's loads of comments.
I hope to submit the mods to this list after more tests.
> Note that, in my situation, this was found by accident, and doesn't
> actually cause a problem - I simply asked a colleague to use telnet. My
> server is behind a firewall and it's unlikely someone within our network is
> going to do this.
--
Regards, Mark.
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
