Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
spice.5100
CVE-2017-7506.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-7506.patch of Package spice.5100
From 257f69d619fed407493156c8a7b952abc8a51314 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fziglio@redhat.com> Date: Mon, 15 May 2017 15:57:28 +0100 Subject: [spice-server 1/3] reds: Disconnect when receiving overly big ClientMonitorsConfig Total message size received from the client was unlimited. There is a 2kiB size check on individual agent messages, but the MonitorsConfig message can be split in multiple chunks, and the size of the non-chunked MonitorsConfig message was never checked. This could easily lead to memory exhaustion on the host. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> --- server/reds.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) Index: spice-0.12.4/server/reds.c =================================================================== --- spice-0.12.4.orig/server/reds.c +++ spice-0.12.4/server/reds.c @@ -1076,6 +1076,7 @@ void reds_release_agent_data_buffer(uint static void reds_client_monitors_config_cleanup(void) { RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + uint32_t max_monitors; cmc->buffer_size = cmc->buffer_pos = 0; free(cmc->buffer); @@ -1086,26 +1087,57 @@ static void reds_client_monitors_config_ static void reds_on_main_agent_monitors_config( MainChannelClient *mcc, void *message, size_t size) { + const unsigned int MAX_MONITORS = 256; + const unsigned int MAX_MONITOR_CONFIG_SIZE = + sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); + VDAgentMessage *msg_header; VDAgentMonitorsConfig *monitors_config; RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + uint32_t max_monitors; + // limit size of message sent by the client as this can cause a DoS through + // memory exhaustion, or potentially some integer overflows + if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { + goto overflow; + } cmc->buffer_size += size; cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); spice_assert(cmc->buffer); cmc->mcc = mcc; memcpy(cmc->buffer + cmc->buffer_pos, message, size); cmc->buffer_pos += size; + if (sizeof(VDAgentMessage) > cmc->buffer_size) { + spice_debug("not enough data yet. %d", cmc->buffer_size); + return; + } msg_header = (VDAgentMessage *)cmc->buffer; - if (sizeof(VDAgentMessage) > cmc->buffer_size || - msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { + if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { + goto overflow; + } + if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { spice_debug("not enough data yet. %d\n", cmc->buffer_size); return; } + if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { + goto overflow; + } monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); + // limit the monitor number to avoid buffer overflows + max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / + sizeof(VDAgentMonConfig); + if (monitors_config->num_of_monitors > max_monitors) { + goto overflow; + } spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors); red_dispatcher_client_monitors_config(monitors_config); reds_client_monitors_config_cleanup(); + return; + +overflow: + spice_warning("received invalid MonitorsConfig request from client, disconnecting"); + red_channel_client_disconnect(main_channel_client_get_base(mcc)); + reds_client_monitors_config_cleanup(); } void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
