File LibVNCServer-CVE-2018-15126.patch of Package LibVNCServer

Overview Repositories Revisions Requests Users Attributes Meta

File LibVNCServer-CVE-2018-15126.patch of Package LibVNCServer (Revision daa510031fbe08af937d8727e683929d)

Currently displaying revision daa510031fbe08af937d8727e683929d , Show latest

diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
index 5f84e7f3..0003b11f 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
@@ -672,7 +672,7 @@ ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr rtcp, char* pBuf)
 		char reason[] = "Error writing file data";
 		int reasonLen = strlen(reason);
 		ftm = CreateFileUploadErrMsg(reason, reasonLen);
-		CloseUndoneFileTransfer(cl, rtcp);
+		CloseUndoneFileUpload(cl, rtcp);
 	}		
 	return ftm;
 }
@@ -735,7 +735,7 @@ CreateFileUploadErrMsg(char* reason, unsigned int reasonLen)
  ******************************************************************************/
 
 void
-CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp)
+CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr rtcp)
 {
 	/* TODO :: File Upload case is not handled currently */
 	/* TODO :: In case of concurrency we need to use Critical Section */
@@ -759,9 +759,19 @@ CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp)
 
 		memset(rtcp->rcft.rcfu.fName, 0 , PATH_MAX);
 	}
+}
+
+
+void
+CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+{
+	if(cl == NULL)
+		return;
 	
 	if(rtcp->rcft.rcfd.downloadInProgress == TRUE) {
 		rtcp->rcft.rcfd.downloadInProgress = FALSE;
+		/* the thread will return if downloadInProgress is FALSE */
+		pthread_join(rtcp->rcft.rcfd.downloadThread, NULL);
 
 		if(rtcp->rcft.rcfd.downloadFD != -1) {			
 			close(rtcp->rcft.rcfd.downloadFD);
diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.h b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
index 3b27bd04..bbb9148d 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.h
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
@@ -51,7 +51,8 @@ FileTransferMsg ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr data, c
 
 void CreateDirectory(char* dirName);
 void FileUpdateComplete(rfbClientPtr cl, rfbTightClientPtr data);
-void CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr data);
+void CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr data);
+void CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr data);
 
 void FreeFileTransferMsg(FileTransferMsg ftm);
 
diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
index 04737831..71fb0851 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
@@ -489,12 +489,6 @@ RunFileDownloadThread(void* client)
 			if(rfbWriteExact(cl, fileDownloadMsg.data, fileDownloadMsg.length) < 0)  {
 				rfbLog("File [%s]: Method [%s]: Error while writing to socket \n"
 						, __FILE__, __FUNCTION__);
-
-				if(cl != NULL) {
-			    	rfbCloseClient(cl);
-				CloseUndoneFileTransfer(cl, rtcp);
-				}
-				
 				FreeFileTransferMsg(fileDownloadMsg);
 				return NULL;
 			}
@@ -508,7 +502,6 @@ RunFileDownloadThread(void* client)
 void
 HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
 {
-	pthread_t fileDownloadThread;
 	FileTransferMsg fileDownloadMsg;
 	
 	memset(&fileDownloadMsg, 0, sizeof(FileTransferMsg));
@@ -518,10 +511,9 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
 		FreeFileTransferMsg(fileDownloadMsg);
 		return;
 	}
-	rtcp->rcft.rcfd.downloadInProgress = FALSE;
-	rtcp->rcft.rcfd.downloadFD = -1;
+	CloseUndoneFileDownload(cl, rtcp);
 
-	if(pthread_create(&fileDownloadThread, NULL, RunFileDownloadThread, (void*) 
+	if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*)
 	cl) != 0) {
 		FileTransferMsg ftm = GetFileDownLoadErrMsg();
 		
@@ -593,7 +585,7 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
 					" reason <%s>\n", __FILE__, __FUNCTION__, reason);
 	
 	pthread_mutex_lock(&fileDownloadMutex);
-	CloseUndoneFileTransfer(cl, rtcp);
+	CloseUndoneFileDownload(cl, rtcp);
 	pthread_mutex_unlock(&fileDownloadMutex);
 	
 	if(reason != NULL) {
@@ -836,7 +828,7 @@ HandleFileUploadDataRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
 			FreeFileTransferMsg(ftm);
 		}
 
-		CloseUndoneFileTransfer(cl, rtcp);
+		CloseUndoneFileUpload(cl, rtcp);
 
 	    if(pBuf != NULL) {
 	    	free(pBuf);
@@ -936,7 +928,7 @@ HandleFileUploadFailedRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
 	rfbLog("File [%s]: Method [%s]: File Upload Failed Request received:"
 				" reason <%s>\n", __FILE__, __FUNCTION__, reason);
 
-	CloseUndoneFileTransfer(cl, rtcp);
+	CloseUndoneFileUpload(cl, rtcp);
 
 	if(reason != NULL) {
 		free(reason);
diff --git a/libvncserver/tightvnc-filetransfer/rfbtightproto.h b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
index d0fe642e..30fc5f54 100644
--- a/libvncserver/tightvnc-filetransfer/rfbtightproto.h
+++ b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
@@ -148,6 +148,7 @@ typedef struct _rfbClientFileDownload {
 	int downloadInProgress;
 	unsigned long mTime;
 	int downloadFD;
+	pthread_t downloadThread;
 } rfbClientFileDownload ;
 
 typedef struct _rfbClientFileUpload {
diff --git a/libvncserver/tightvnc-filetransfer/rfbtightserver.c b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
index 67d4cb54..651d8fb7 100644
--- a/libvncserver/tightvnc-filetransfer/rfbtightserver.c
+++ b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
@@ -26,6 +26,7 @@
 #include <rfb/rfb.h>
 #include "rfbtightproto.h"
 #include "handlefiletransferrequest.h"
+#include "filetransfermsg.h"
 
 /*
  * Get my data!
@@ -448,9 +449,11 @@ rfbTightExtensionMsgHandler(struct _rfbClientRec* cl, void* data,
 void
 rfbTightExtensionClientClose(rfbClientPtr cl, void* data) {
 
-	if(data != NULL)
+	if(data != NULL) {
+		CloseUndoneFileUpload(cl, data);
+		CloseUndoneFileDownload(cl, data);
 		free(data);
-
+	}
 }
 
 void

Places

File LibVNCServer-CVE-2018-15126.patch of Package LibVNCServer (Revision daa510031fbe08af937d8727e683929d)

Places