summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Beier <[email protected]>2018-12-29 14:40:53 +0100
committerChristian Beier <[email protected]>2018-12-29 14:40:53 +0100
commite34bcbb759ca5bef85809967a268fdf214c1ad2c (patch)
treedb949b4c386bb5ffb293a8e26f472e0a3516edeb
parentc5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a (diff)
downloadlibtdevnc-e34bcbb759ca5bef85809967a268fdf214c1ad2c.tar.gz
libtdevnc-e34bcbb759ca5bef85809967a268fdf214c1ad2c.zip
LibVNCClient: ignore server-sent reason strings longer than 1MB
Fixes #273
-rw-r--r--libvncclient/rfbproto.c45
1 files changed, 21 insertions, 24 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 8792dbf..ba7d70a 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -412,11 +412,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd);
extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key);
+static void
+ReadReason(rfbClient* client)
+{
+ uint32_t reasonLen;
+ char *reason;
+
+ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
+ reasonLen = rfbClientSwap32IfLE(reasonLen);
+ if(reasonLen > 1<<20) {
+ rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen);
+ return;
+ }
+ reason = malloc(reasonLen+1);
+ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
+ reason[reasonLen]=0;
+ rfbClientLog("VNC connection failed: %s\n",reason);
+ free(reason);
+}
+
rfbBool
rfbHandleAuthResult(rfbClient* client)
{
- uint32_t authResult=0, reasonLen=0;
- char *reason=NULL;
+ uint32_t authResult=0;
if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE;
@@ -431,13 +449,7 @@ rfbHandleAuthResult(rfbClient* client)
if (client->major==3 && client->minor>7)
{
/* we have an error following */
- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
- reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc((uint64_t)reasonLen+1);
- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
- reason[reasonLen]=0;
- rfbClientLog("VNC connection failed: %s\n",reason);
- free(reason);
+ ReadReason(client);
return FALSE;
}
rfbClientLog("VNC authentication failed\n");
@@ -452,21 +464,6 @@ rfbHandleAuthResult(rfbClient* client)
return FALSE;
}
-static void
-ReadReason(rfbClient* client)
-{
- uint32_t reasonLen;
- char *reason;
-
- /* we have an error following */
- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
- reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc((uint64_t)reasonLen+1);
- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
- reason[reasonLen]=0;
- rfbClientLog("VNC connection failed: %s\n",reason);
- free(reason);
-}
static rfbBool
ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth)