| commit | d307040b18bfcb1393b910f1bae753d5c12a4dc7 | |
| author | Mauro Matteo Cascella <mcascell@redhat.com> | |
| Sun, 25 Sep 2022 20:45:11 +0000 (25 22:45 +0200) | ||
| committer | Gerd Hoffmann <kraxel@redhat.com> | |
| Tue, 11 Oct 2022 13:30:27 +0000 (11 15:30 +0200) | ||
| tree | 11b4dcdb7576102e8b9fc71f0401a2c15b78d4ed | treesnapshot (tar.gz zip) |
| parent | b6d93282ccac79e42d87d02652db353894cd1db9 | commitdiff |
ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext
Extended ClientCutText messages start with a 4-byte header. If len < 4,
an integer underflow occurs in vnc_client_cut_text_ext. The result is
used to decompress data in a while loop in inflate_buffer, leading to
CPU consumption and denial of service. Prevent this by checking dlen in
protocol_client_msg.
Fixes: CVE-2022-3165
Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
Reported-by: TangPeng <tangpeng@qianxin.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Extended ClientCutText messages start with a 4-byte header. If len < 4,
an integer underflow occurs in vnc_client_cut_text_ext. The result is
used to decompress data in a while loop in inflate_buffer, leading to
CPU consumption and denial of service. Prevent this by checking dlen in
protocol_client_msg.
Fixes: CVE-2022-3165
Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
Reported-by: TangPeng <tangpeng@qianxin.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
| ui/vnc.c | diffblobblamehistory |