diff options
author | Christian Beier <[email protected]> | 2018-12-29 14:40:53 +0100 |
---|---|---|
committer | Christian Beier <[email protected]> | 2018-12-29 14:40:53 +0100 |
commit | e34bcbb759ca5bef85809967a268fdf214c1ad2c (patch) | |
tree | db949b4c386bb5ffb293a8e26f472e0a3516edeb | |
parent | c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a (diff) | |
download | libtdevnc-e34bcbb759ca5bef85809967a268fdf214c1ad2c.tar.gz libtdevnc-e34bcbb759ca5bef85809967a268fdf214c1ad2c.zip |
LibVNCClient: ignore server-sent reason strings longer than 1MB
Fixes #273
-rw-r--r-- | libvncclient/rfbproto.c | 45 |
1 files changed, 21 insertions, 24 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c index 8792dbf..ba7d70a 100644 --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -412,11 +412,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd); extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key); +static void +ReadReason(rfbClient* client) +{ + uint32_t reasonLen; + char *reason; + + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; + reasonLen = rfbClientSwap32IfLE(reasonLen); + if(reasonLen > 1<<20) { + rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen); + return; + } + reason = malloc(reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); + free(reason); +} + rfbBool rfbHandleAuthResult(rfbClient* client) { - uint32_t authResult=0, reasonLen=0; - char *reason=NULL; + uint32_t authResult=0; if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE; @@ -431,13 +449,7 @@ rfbHandleAuthResult(rfbClient* client) if (client->major==3 && client->minor>7) { /* we have an error following */ - if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; - reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc((uint64_t)reasonLen+1); - if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } - reason[reasonLen]=0; - rfbClientLog("VNC connection failed: %s\n",reason); - free(reason); + ReadReason(client); return FALSE; } rfbClientLog("VNC authentication failed\n"); @@ -452,21 +464,6 @@ rfbHandleAuthResult(rfbClient* client) return FALSE; } -static void -ReadReason(rfbClient* client) -{ - uint32_t reasonLen; - char *reason; - - /* we have an error following */ - if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; - reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc((uint64_t)reasonLen+1); - if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } - reason[reasonLen]=0; - rfbClientLog("VNC connection failed: %s\n",reason); - free(reason); -} static rfbBool ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth) |