projects / packages / qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| b03c1ed8 AM |
1 | Fix CORE-2008-1210 VNC DoS |
| 2 | ||
| 3 | If the client sends us a limit of zero, handle appropriately. | |
| 4 | ||
| 5 | Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> | |
| 6 | ||
| 7 | diff --git a/vnc.c b/vnc.c | |
| 8 | index 3a7d762..575fd68 100644 | |
| 9 | --- a/vnc.c | |
| 10 | +++ b/vnc.c | |
| 11 | @@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) | |
| 12 | if (len == 1) | |
| 13 | return 4; | |
| 14 | ||
| 15 | - if (len == 4) | |
| 16 | - return 4 + (read_u16(data, 2) * 4); | |
| 17 | + if (len == 4) { | |
| 18 | + limit = read_u16(data, 2); | |
| 19 | + if (limit > 0) | |
| 20 | + return 4 + (limit * 4); | |
| 21 | + } else | |
| 22 | + limit = read_u16(data, 2); | |
| 23 | ||
| 24 | - limit = read_u16(data, 2); | |
| 25 | for (i = 0; i < limit; i++) { | |
| 26 | int32_t val = read_s32(data, 4 + (i * 4)); | |
| 27 | memcpy(data + 4 + (i * 4), &val, sizeof(val)); |