Commit 95efcfbf authored by Christian Beier's avatar Christian Beier

Fix potential memory corruption in libvncclient.

Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]):

LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length

It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message.

  case rfbServerCutText:
  {
    char *buffer;

    if (!ReadFromRFBServer(client, ((char *)&msg) + 1,
			   sz_rfbServerCutTextMsg - 1))
      return FALSE;

    msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length

    buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0

    if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer
      return FALSE;

    buffer[msg.sct.length] = 0; << Attempt to write to buffer

    if (client->GotXCutText)
      client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer

    free(buffer);

    break;
  }

If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.
parent cdc5b519
......@@ -90,6 +90,13 @@ ReadFromRFBServer(rfbClient* client, char *out, unsigned int n)
int nn=n;
rfbClientLog("ReadFromRFBServer %d bytes\n",n);
#endif
/* Handle attempts to write to NULL out buffer that might occur
when an outside malloc() fails. For instance, memcpy() to NULL
results in undefined behaviour and probably memory corruption.*/
if(!out)
return FALSE;
if (client->serverPort==-1) {
/* vncrec playing */
rfbVNCRec* rec = client->vncRec;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment