From 95efcfbf0c39e0b493509d2ad829b0d688641b41 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Fri, 10 Oct 2014 13:51:48 +0200
Subject: Fix potential memory corruption in libvncclient.
Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]):
LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length
It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message.
case rfbServerCutText:
{
char *buffer;
if (!ReadFromRFBServer(client, ((char *)&msg) + 1,
sz_rfbServerCutTextMsg - 1))
return FALSE;
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length
buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0
if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer
return FALSE;
buffer[msg.sct.length] = 0; << Attempt to write to buffer
if (client->GotXCutText)
client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer
free(buffer);
break;
}
If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.
---
libvncclient/sockets.c | 7 +++++++
1 file changed, 7 insertions(+)
(limited to 'libvncclient')
diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c
index e50ef0e..c09b555 100644
--- a/libvncclient/sockets.c
+++ b/libvncclient/sockets.c
@@ -90,6 +90,13 @@ ReadFromRFBServer(rfbClient* client, char *out, unsigned int n)
int nn=n;
rfbClientLog("ReadFromRFBServer %d bytes\n",n);
#endif
+
+ /* Handle attempts to write to NULL out buffer that might occur
+ when an outside malloc() fails. For instance, memcpy() to NULL
+ results in undefined behaviour and probably memory corruption.*/
+ if(!out)
+ return FALSE;
+
if (client->serverPort==-1) {
/* vncrec playing */
rfbVNCRec* rec = client->vncRec;
--
cgit v1.2.1