Compare commits
No commits in common. 'c8' and 'epel9' have entirely different histories.
@ -1 +1,8 @@
|
||||
SOURCES/LibVNCServer-0.9.11.tar.gz
|
||||
/LibVNCServer-0.9.8.2.tar.gz
|
||||
/LibVNCServer-0.9.9.tar.gz
|
||||
/LibVNCServer-0.9.10-646f844f.tar.gz
|
||||
/LibVNCServer-0.9.10-9453be42.tar.gz
|
||||
/LibVNCServer-0.9.10.tar.gz
|
||||
/LibVNCServer-0.9.11.tar.gz
|
||||
/LibVNCServer-0.9.12.tar.gz
|
||||
/LibVNCServer-0.9.13.tar.gz
|
||||
|
||||
@ -1 +0,0 @@
|
||||
d844a2c9e69465d104a8468dce515a49e4db9585 SOURCES/LibVNCServer-0.9.11.tar.gz
|
||||
@ -0,0 +1,28 @@
|
||||
From d138cf90130b0e8d5062f136ecdbcaa85e734d5d Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <info@christianbeier.net>
|
||||
Date: Mon, 20 Jul 2020 22:33:29 +0200
|
||||
Subject: [PATCH] libvncserver: don't NULL out internal of the default cursor
|
||||
|
||||
...otherwise an rfbScreen created after rfbScreenCleanup() was called
|
||||
gets assigned an invalid cursor struct.
|
||||
---
|
||||
libvncserver/main.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/main.c b/libvncserver/main.c
|
||||
index 9149fda3..a3a711e3 100644
|
||||
--- a/libvncserver/main.c
|
||||
+++ b/libvncserver/main.c
|
||||
@@ -1110,7 +1110,8 @@ void rfbScreenCleanup(rfbScreenInfoPtr screen)
|
||||
FREE_IF(underCursorBuffer);
|
||||
TINI_MUTEX(screen->cursorMutex);
|
||||
|
||||
- rfbFreeCursor(screen->cursor);
|
||||
+ if(screen->cursor != &myCursor)
|
||||
+ rfbFreeCursor(screen->cursor);
|
||||
|
||||
#ifdef LIBVNCSERVER_HAVE_LIBZ
|
||||
rfbZlibCleanup(screen);
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -0,0 +1,32 @@
|
||||
From 2a77dd86a97fa5f4735f678599cea839ba09009c Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <info@christianbeier.net>
|
||||
Date: Sun, 9 Aug 2020 20:11:26 +0200
|
||||
Subject: [PATCH 3/4] libvncserver/auth: don't keep security handlers from
|
||||
previous runs
|
||||
|
||||
Whyohsoever security handlers are stored in a variable global to the
|
||||
application, not in the rfbScreen struct. This meant that security
|
||||
handlers registered once would stick around forever before this commit.
|
||||
---
|
||||
libvncserver/auth.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libvncserver/auth.c b/libvncserver/auth.c
|
||||
index 55e0b3c9..fc74c800 100644
|
||||
--- a/libvncserver/auth.c
|
||||
+++ b/libvncserver/auth.c
|
||||
@@ -264,9 +264,11 @@ rfbSendSecurityTypeList(rfbClientPtr cl,
|
||||
primaryType = determinePrimarySecurityType(cl);
|
||||
switch (primaryType) {
|
||||
case rfbSecTypeNone:
|
||||
+ rfbUnregisterSecurityHandler(&VncSecurityHandlerVncAuth);
|
||||
rfbRegisterSecurityHandler(&VncSecurityHandlerNone);
|
||||
break;
|
||||
case rfbSecTypeVncAuth:
|
||||
+ rfbUnregisterSecurityHandler(&VncSecurityHandlerNone);
|
||||
rfbRegisterSecurityHandler(&VncSecurityHandlerVncAuth);
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -0,0 +1,45 @@
|
||||
From 641610b961a732bb68f111536ebf8c42be20f05b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
|
||||
Date: Wed, 16 Sep 2020 17:35:49 +0200
|
||||
Subject: [PATCH 4/4] zlib: Clear buffer pointers on cleanup (#444)
|
||||
|
||||
The pointers to the buffers were freed, and the size fields were set to
|
||||
0, but the buffer pointers themsef was not set to NULL, when shutting
|
||||
down, meaning the next time used, NULL checks would not tell whether the
|
||||
pointer is valid. This caused crashes ending with
|
||||
|
||||
#0 0x00007ffff73729e5 in raise () from /lib64/libc.so.6
|
||||
#1 0x00007ffff735b895 in abort () from /lib64/libc.so.6
|
||||
#2 0x00007ffff73b6857 in __libc_message () from /lib64/libc.so.6
|
||||
#3 0x00007ffff73bdd7c in malloc_printerr () from /lib64/libc.so.6
|
||||
#4 0x00007ffff73c2f1a in realloc () from /lib64/libc.so.6
|
||||
#5 0x00007ffff78b558e in rfbSendOneRectEncodingZlib (cl=0x4a4b80, x=0, y=0, w=800, h=40) at /home/jonas/Dev/gnome/libvncserver/libvncserver/zlib.c:106
|
||||
#6 0x00007ffff78b5dec in rfbSendRectEncodingZlib (cl=0x4a4b80, x=0, y=0, w=800, h=600) at /home/jonas/Dev/gnome/libvncserver/libvncserver/zlib.c:308
|
||||
#7 0x00007ffff7899453 in rfbSendFramebufferUpdate (cl=0x4a4b80, givenUpdateRegion=0x49ef70) at /home/jonas/Dev/gnome/libvncserver/libvncserver/rfbserver.c:3264
|
||||
#8 0x00007ffff789079d in rfbUpdateClient (cl=0x4a4b80) at /home/jonas/Dev/gnome/libvncserver/libvncserver/main.c:1275
|
||||
#9 0x00007ffff78905f5 in rfbProcessEvents (screen=0x4d5790, usec=0) at /home/jonas/Dev/gnome/libvncserver/libvncserver/main.c:1251
|
||||
---
|
||||
libvncserver/zlib.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libvncserver/zlib.c b/libvncserver/zlib.c
|
||||
index d24d7d15..5c3a8236 100644
|
||||
--- a/libvncserver/zlib.c
|
||||
+++ b/libvncserver/zlib.c
|
||||
@@ -64,11 +64,13 @@ void rfbZlibCleanup(rfbScreenInfoPtr screen)
|
||||
{
|
||||
if (zlibBeforeBufSize) {
|
||||
free(zlibBeforeBuf);
|
||||
+ zlibBeforeBuf = NULL;
|
||||
zlibBeforeBufSize=0;
|
||||
}
|
||||
if (zlibAfterBufSize) {
|
||||
zlibAfterBufSize=0;
|
||||
free(zlibAfterBuf);
|
||||
+ zlibAfterBuf = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,47 +0,0 @@
|
||||
From b793e8c51ab253c0951e43a84e9d448416462887 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
|
||||
Date: Wed, 27 Nov 2019 16:58:29 +0100
|
||||
Subject: [PATCH] auth: Add API to unregister built in security handlers
|
||||
|
||||
If I have a VNC server that first accepts password based authentication,
|
||||
then switches to something not using password (e.g. a prompt on screen),
|
||||
the security handler from the first would still be sent as, meaning
|
||||
clients would still ask for a password without there being one.
|
||||
---
|
||||
libvncserver/auth.c | 7 +++++++
|
||||
rfb/rfb.h | 1 +
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/libvncserver/auth.c b/libvncserver/auth.c
|
||||
index 55e0b3c9..8b6fc48f 100644
|
||||
--- a/libvncserver/auth.c
|
||||
+++ b/libvncserver/auth.c
|
||||
@@ -248,6 +248,13 @@ determinePrimarySecurityType(rfbClientPtr cl)
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+rfbUnregisterPrimarySecurityHandlers (void)
|
||||
+{
|
||||
+ rfbUnregisterSecurityHandler(&VncSecurityHandlerNone);
|
||||
+ rfbUnregisterSecurityHandler(&VncSecurityHandlerVncAuth);
|
||||
+}
|
||||
+
|
||||
void
|
||||
rfbSendSecurityTypeList(rfbClientPtr cl,
|
||||
enum rfbSecurityTag exclude)
|
||||
diff --git a/rfb/rfb.h b/rfb/rfb.h
|
||||
index 70b92242..738dbd82 100644
|
||||
--- a/rfb/rfb.h
|
||||
+++ b/rfb/rfb.h
|
||||
@@ -887,6 +887,7 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl);
|
||||
extern void rfbAuthProcessClientMessage(rfbClientPtr cl);
|
||||
extern void rfbRegisterSecurityHandler(rfbSecurityHandler* handler);
|
||||
extern void rfbUnregisterSecurityHandler(rfbSecurityHandler* handler);
|
||||
+extern void rfbUnregisterPrimarySecurityHandlers (void);
|
||||
extern void rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler);
|
||||
extern void rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler);
|
||||
extern void rfbSendSecurityTypeList(rfbClientPtr cl, enum rfbSecurityTag exclude);
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
From 75f04c14e49e084e41bdd5491edad8823773a08c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <github@kempniu.pl>
|
||||
Date: Tue, 14 Feb 2017 12:42:04 +0100
|
||||
Subject: [PATCH 40/98] Ensure compatibility with gtk-vnc 0.7.0+
|
||||
|
||||
---
|
||||
libvncserver/websockets.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c
|
||||
index 72396c2..0b2d46f 100644
|
||||
--- a/libvncserver/websockets.c
|
||||
+++ b/libvncserver/websockets.c
|
||||
@@ -245,7 +245,10 @@ webSocketsCheck (rfbClientPtr cl)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- if (strncmp(bbuf, "<", 1) == 0) {
|
||||
+ if (strncmp(bbuf, "RFB ", 4) == 0) {
|
||||
+ rfbLog("Normal socket connection\n");
|
||||
+ return TRUE;
|
||||
+ } else if (strncmp(bbuf, "<", 1) == 0) {
|
||||
rfbLog("Got Flash policy request, sending response\n");
|
||||
if (rfbWriteExact(cl, FLASH_POLICY_RESPONSE,
|
||||
SZ_FLASH_POLICY_RESPONSE) < 0) {
|
||||
--
|
||||
2.9.4
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
diff -Naur libvncserver-LibVNCServer-0.9.10.old/libvncclient/tls_gnutls.c libvncserver-LibVNCServer-0.9.10/libvncclient/tls_gnutls.c
|
||||
--- libvncserver-LibVNCServer-0.9.10.old/libvncclient/tls_gnutls.c 2015-12-12 00:14:37.269157918 +0100
|
||||
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/tls_gnutls.c 2015-12-12 11:23:29.391385234 +0100
|
||||
@@ -31,8 +31,8 @@
|
||||
#include "tls.h"
|
||||
|
||||
|
||||
-static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA:+SRP";
|
||||
-static const char *rfbAnonTLSPriority= "NORMAL:+ANON-DH";
|
||||
+static const char *rfbTLSPriority = "@SYSTEM";
|
||||
+static const char *rfbAnonTLSPriority= "@SYSTEM:+ANON-DH";
|
||||
|
||||
#define DH_BITS 1024
|
||||
static gnutls_dh_params_t rfbDHParams;
|
||||
diff -Naur libvncserver-LibVNCServer-0.9.10.old/libvncserver/rfbssl_gnutls.c libvncserver-LibVNCServer-0.9.10/libvncserver/rfbssl_gnutls.c
|
||||
--- libvncserver-LibVNCServer-0.9.10.old/libvncserver/rfbssl_gnutls.c 2015-12-12 00:14:37.270157930 +0100
|
||||
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/rfbssl_gnutls.c 2015-12-12 11:14:49.966830581 +0100
|
||||
@@ -54,7 +54,7 @@
|
||||
|
||||
if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) {
|
||||
/* */
|
||||
- } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) {
|
||||
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_set_default_priority(session))) {
|
||||
/* */
|
||||
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) {
|
||||
/* */
|
||||
@ -1,20 +0,0 @@
|
||||
diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib LibVNCServer-0.9.1/libvncserver-config.in
|
||||
--- LibVNCServer-0.9.1/libvncserver-config.in.multilib 2007-05-26 21:28:25.000000000 -0500
|
||||
+++ LibVNCServer-0.9.1/libvncserver-config.in 2008-01-22 14:51:08.000000000 -0600
|
||||
@@ -4,7 +4,6 @@ prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
exec_prefix_set=no
|
||||
includedir=@includedir@
|
||||
-libdir=@libdir@
|
||||
|
||||
# if this script is in the same directory as libvncserver-config.in, assume not installed
|
||||
if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then
|
||||
@@ -63,7 +62,7 @@ while test $# -gt 0; do
|
||||
libs="$libs -R$dir"
|
||||
fi
|
||||
done
|
||||
- echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@
|
||||
+ echo "$libs" -lvncserver -lvncclient
|
||||
;;
|
||||
--link)
|
||||
echo @CC@
|
||||
@ -1,694 +0,0 @@
|
||||
Backport of:
|
||||
From aac95a9dcf4bbba87b76c72706c3221a842ca433 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Weigel <andreaswe@securepoint.de>
|
||||
Date: Wed, 15 Feb 2017 12:31:05 +0100
|
||||
Subject: [PATCH] fix overflow and refactor websockets decode (Hybi)
|
||||
|
||||
fix critical heap-based buffer overflow which allowed easy modification
|
||||
of a return address via an overwritten function pointer
|
||||
|
||||
fix bug causing connections to fail due a "one websocket frame = one
|
||||
ws_read" assumption, which failed with LibVNCServer-0.9.11
|
||||
|
||||
refactor websocket Hybi decode to use a simple state machine for
|
||||
decoding of websocket frames
|
||||
|
||||
[Ubuntu note: Renamed b64_pton to __b64_pton in patch to ensure patch can be
|
||||
applied.
|
||||
-- Avital]
|
||||
|
||||
---
|
||||
libvncserver/websockets.c | 595 +++++++++++++++++++++++++++++---------
|
||||
1 file changed, 463 insertions(+), 132 deletions(-)
|
||||
|
||||
--- a/libvncserver/websockets.c
|
||||
+++ b/libvncserver/websockets.c
|
||||
@@ -62,6 +62,9 @@
|
||||
|
||||
#define B64LEN(__x) (((__x + 2) / 3) * 12 / 3)
|
||||
#define WSHLENMAX 14 /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */
|
||||
+#define WS_HYBI_MASK_LEN 4
|
||||
+
|
||||
+#define ARRAYSIZE(a) ((sizeof(a) / sizeof((a[0]))) / (size_t)(!(sizeof(a) % sizeof((a[0])))))
|
||||
|
||||
enum {
|
||||
WEBSOCKETS_VERSION_HIXIE,
|
||||
@@ -78,20 +81,20 @@ static int gettid() {
|
||||
typedef int (*wsEncodeFunc)(rfbClientPtr cl, const char *src, int len, char **dst);
|
||||
typedef int (*wsDecodeFunc)(rfbClientPtr cl, char *dst, int len);
|
||||
|
||||
-typedef struct ws_ctx_s {
|
||||
- char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
|
||||
- char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
|
||||
- char readbuf[8192];
|
||||
- int readbufstart;
|
||||
- int readbuflen;
|
||||
- int dblen;
|
||||
- char carryBuf[3]; /* For base64 carry-over */
|
||||
- int carrylen;
|
||||
- int version;
|
||||
- int base64;
|
||||
- wsEncodeFunc encode;
|
||||
- wsDecodeFunc decode;
|
||||
-} ws_ctx_t;
|
||||
+
|
||||
+enum {
|
||||
+ /* header not yet received completely */
|
||||
+ WS_HYBI_STATE_HEADER_PENDING,
|
||||
+ /* data available */
|
||||
+ WS_HYBI_STATE_DATA_AVAILABLE,
|
||||
+ WS_HYBI_STATE_DATA_NEEDED,
|
||||
+ /* received a complete frame */
|
||||
+ WS_HYBI_STATE_FRAME_COMPLETE,
|
||||
+ /* received part of a 'close' frame */
|
||||
+ WS_HYBI_STATE_CLOSE_REASON_PENDING,
|
||||
+ /* */
|
||||
+ WS_HYBI_STATE_ERR
|
||||
+};
|
||||
|
||||
typedef union ws_mask_s {
|
||||
char c[4];
|
||||
@@ -119,6 +122,38 @@ typedef struct __attribute__ ((__packed_
|
||||
} u;
|
||||
} ws_header_t;
|
||||
|
||||
+typedef struct ws_header_data_s {
|
||||
+ ws_header_t *data;
|
||||
+ /** bytes read */
|
||||
+ int nRead;
|
||||
+ /** mask value */
|
||||
+ ws_mask_t mask;
|
||||
+ /** length of frame header including payload len, but without mask */
|
||||
+ int headerLen;
|
||||
+ /** length of the payload data */
|
||||
+ int payloadLen;
|
||||
+ /** opcode */
|
||||
+ unsigned char opcode;
|
||||
+} ws_header_data_t;
|
||||
+
|
||||
+typedef struct ws_ctx_s {
|
||||
+ char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
|
||||
+ char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
|
||||
+ char *writePos;
|
||||
+ unsigned char *readPos;
|
||||
+ int readlen;
|
||||
+ int hybiDecodeState;
|
||||
+ char carryBuf[3]; /* For base64 carry-over */
|
||||
+ int carrylen;
|
||||
+ int version;
|
||||
+ int base64;
|
||||
+ ws_header_data_t header;
|
||||
+ int nReadRaw;
|
||||
+ int nToRead;
|
||||
+ wsEncodeFunc encode;
|
||||
+ wsDecodeFunc decode;
|
||||
+} ws_ctx_t;
|
||||
+
|
||||
enum
|
||||
{
|
||||
WS_OPCODE_CONTINUATION = 0x0,
|
||||
@@ -179,6 +214,8 @@ static int webSocketsEncodeHixie(rfbClie
|
||||
static int webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len);
|
||||
static int webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len);
|
||||
|
||||
+static void hybiDecodeCleanup(ws_ctx_t *wsctx);
|
||||
+
|
||||
static int
|
||||
min (int a, int b) {
|
||||
return a < b ? a : b;
|
||||
@@ -440,10 +477,11 @@ webSocketsHandshake(rfbClientPtr cl, cha
|
||||
wsctx->decode = webSocketsDecodeHixie;
|
||||
}
|
||||
wsctx->base64 = base64;
|
||||
+ hybiDecodeCleanup(wsctx);
|
||||
cl->wsctx = (wsCtx *)wsctx;
|
||||
return TRUE;
|
||||
}
|
||||
-
|
||||
+
|
||||
void
|
||||
webSocketsGenMd5(char * target, char *key1, char *key2, char *key3)
|
||||
{
|
||||
@@ -635,146 +673,439 @@ webSocketsDecodeHixie(rfbClientPtr cl, c
|
||||
}
|
||||
|
||||
static int
|
||||
-webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
|
||||
+hybiRemaining(ws_ctx_t *wsctx)
|
||||
{
|
||||
- char *buf, *payload;
|
||||
- uint32_t *payload32;
|
||||
- int ret = -1, result = -1;
|
||||
- int total = 0;
|
||||
- ws_mask_t mask;
|
||||
- ws_header_t *header;
|
||||
- int i;
|
||||
- unsigned char opcode;
|
||||
- ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
||||
- int flength, fhlen;
|
||||
- /* int fin; */ /* not used atm */
|
||||
+ return wsctx->nToRead - wsctx->nReadRaw;
|
||||
+}
|
||||
|
||||
- /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
|
||||
+static void
|
||||
+hybiDecodeCleanup(ws_ctx_t *wsctx)
|
||||
+{
|
||||
+ wsctx->header.payloadLen = 0;
|
||||
+ wsctx->header.mask.u = 0;
|
||||
+ wsctx->nReadRaw = 0;
|
||||
+ wsctx->nToRead= 0;
|
||||
+ wsctx->carrylen = 0;
|
||||
+ wsctx->readPos = (unsigned char *)wsctx->codeBufDecode;
|
||||
+ wsctx->readlen = 0;
|
||||
+ wsctx->hybiDecodeState = WS_HYBI_STATE_HEADER_PENDING;
|
||||
+ wsctx->writePos = NULL;
|
||||
+ rfbLog("cleaned up wsctx\n");
|
||||
+}
|
||||
|
||||
- if (wsctx->readbuflen) {
|
||||
- /* simply return what we have */
|
||||
- if (wsctx->readbuflen > len) {
|
||||
- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, len);
|
||||
- result = len;
|
||||
- wsctx->readbuflen -= len;
|
||||
- wsctx->readbufstart += len;
|
||||
+/**
|
||||
+ * Return payload data that has been decoded/unmasked from
|
||||
+ * a websocket frame.
|
||||
+ *
|
||||
+ * @param[out] dst destination buffer
|
||||
+ * @param[in] len bytes to copy to destination buffer
|
||||
+ * @param[in,out] wsctx internal state of decoding procedure
|
||||
+ * @param[out] number of bytes actually written to dst buffer
|
||||
+ * @return next hybi decoding state
|
||||
+ */
|
||||
+static int
|
||||
+hybiReturnData(char *dst, int len, ws_ctx_t *wsctx, int *nWritten)
|
||||
+{
|
||||
+ int nextState = WS_HYBI_STATE_ERR;
|
||||
+
|
||||
+ /* if we have something already decoded copy and return */
|
||||
+ if (wsctx->readlen > 0) {
|
||||
+ /* simply return what we have */
|
||||
+ if (wsctx->readlen > len) {
|
||||
+ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", len, wsctx->readPos, wsctx->readlen);
|
||||
+ memcpy(dst, wsctx->readPos, len);
|
||||
+ *nWritten = len;
|
||||
+ wsctx->readlen -= len;
|
||||
+ wsctx->readPos += len;
|
||||
+ nextState = WS_HYBI_STATE_DATA_AVAILABLE;
|
||||
+ } else {
|
||||
+ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", wsctx->readlen, wsctx->readPos, wsctx->readlen);
|
||||
+ memcpy(dst, wsctx->readPos, wsctx->readlen);
|
||||
+ *nWritten = wsctx->readlen;
|
||||
+ wsctx->readlen = 0;
|
||||
+ wsctx->readPos = NULL;
|
||||
+ if (hybiRemaining(wsctx) == 0) {
|
||||
+ nextState = WS_HYBI_STATE_FRAME_COMPLETE;
|
||||
} else {
|
||||
- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, wsctx->readbuflen);
|
||||
- result = wsctx->readbuflen;
|
||||
- wsctx->readbuflen = 0;
|
||||
- wsctx->readbufstart = 0;
|
||||
+ nextState = WS_HYBI_STATE_DATA_NEEDED;
|
||||
}
|
||||
- goto spor;
|
||||
}
|
||||
+ rfbLog("after copy: readPos=%p, readLen=%d\n", wsctx->readPos, wsctx->readlen);
|
||||
+ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_CLOSE_REASON_PENDING) {
|
||||
+ nextState = WS_HYBI_STATE_CLOSE_REASON_PENDING;
|
||||
+ }
|
||||
+ return nextState;
|
||||
+}
|
||||
|
||||
- buf = wsctx->codeBufDecode;
|
||||
- header = (ws_header_t *)wsctx->codeBufDecode;
|
||||
+/**
|
||||
+ * Read an RFC 6455 websocket frame (IETF hybi working group).
|
||||
+ *
|
||||
+ * Internal state is updated according to bytes received and the
|
||||
+ * decoding of header information.
|
||||
+ *
|
||||
+ * @param[in] cl client ptr with ptr to raw socket and ws_ctx_t ptr
|
||||
+ * @param[out] sockRet emulated recv return value
|
||||
+ * @return next hybi decoding state; WS_HYBI_STATE_HEADER_PENDING indicates
|
||||
+ * that the header was not received completely.
|
||||
+ */
|
||||
+static int
|
||||
+hybiReadHeader(rfbClientPtr cl, int *sockRet)
|
||||
+{
|
||||
+ int ret;
|
||||
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
||||
+ char *headerDst = wsctx->codeBufDecode + wsctx->nReadRaw;
|
||||
+ int n = WSHLENMAX - wsctx->nReadRaw;
|
||||
+
|
||||
+ rfbLog("header_read to %p with len=%d\n", headerDst, n);
|
||||
+ ret = ws_read(cl, headerDst, n);
|
||||
+ rfbLog("read %d bytes from socket\n", ret);
|
||||
+ if (ret <= 0) {
|
||||
+ if (-1 == ret) {
|
||||
+ /* save errno because rfbErr() will tamper it */
|
||||
+ int olderrno = errno;
|
||||
+ rfbErr("%s: peek; %m\n", __func__);
|
||||
+ errno = olderrno;
|
||||
+ *sockRet = -1;
|
||||
+ } else {
|
||||
+ *sockRet = 0;
|
||||
+ }
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
|
||||
- ret = ws_peek(cl, buf, B64LEN(len) + WSHLENMAX);
|
||||
+ wsctx->nReadRaw += ret;
|
||||
+ if (wsctx->nReadRaw < 2) {
|
||||
+ /* cannot decode header with less than two bytes */
|
||||
+ errno = EAGAIN;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_HEADER_PENDING;
|
||||
+ }
|
||||
+
|
||||
+ /* first two header bytes received; interpret header data and get rest */
|
||||
+ wsctx->header.data = (ws_header_t *)wsctx->codeBufDecode;
|
||||
+
|
||||
+ wsctx->header.opcode = wsctx->header.data->b0 & 0x0f;
|
||||
+
|
||||
+ /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
|
||||
+ wsctx->header.payloadLen = wsctx->header.data->b1 & 0x7f;
|
||||
+ rfbLog("first header bytes received; opcode=%d lenbyte=%d\n", wsctx->header.opcode, wsctx->header.payloadLen);
|
||||
+
|
||||
+ /*
|
||||
+ * 4.3. Client-to-Server Masking
|
||||
+ *
|
||||
+ * The client MUST mask all frames sent to the server. A server MUST
|
||||
+ * close the connection upon receiving a frame with the MASK bit set to 0.
|
||||
+ **/
|
||||
+ if (!(wsctx->header.data->b1 & 0x80)) {
|
||||
+ rfbErr("%s: got frame without mask ret=%d\n", __func__, ret);
|
||||
+ errno = EIO;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (wsctx->header.payloadLen < 126 && wsctx->nReadRaw >= 6) {
|
||||
+ wsctx->header.headerLen = 2 + WS_HYBI_MASK_LEN;
|
||||
+ wsctx->header.mask = wsctx->header.data->u.m;
|
||||
+ } else if (wsctx->header.payloadLen == 126 && 8 <= wsctx->nReadRaw) {
|
||||
+ wsctx->header.headerLen = 4 + WS_HYBI_MASK_LEN;
|
||||
+ wsctx->header.payloadLen = WS_NTOH16(wsctx->header.data->u.s16.l16);
|
||||
+ wsctx->header.mask = wsctx->header.data->u.s16.m16;
|
||||
+ } else if (wsctx->header.payloadLen == 127 && 14 <= wsctx->nReadRaw) {
|
||||
+ wsctx->header.headerLen = 10 + WS_HYBI_MASK_LEN;
|
||||
+ wsctx->header.payloadLen = WS_NTOH64(wsctx->header.data->u.s64.l64);
|
||||
+ wsctx->header.mask = wsctx->header.data->u.s64.m64;
|
||||
+ } else {
|
||||
+ /* Incomplete frame header, try again */
|
||||
+ rfbErr("%s: incomplete frame header; ret=%d\n", __func__, ret);
|
||||
+ errno = EAGAIN;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_HEADER_PENDING;
|
||||
+ }
|
||||
+
|
||||
+ /* absolute length of frame */
|
||||
+ wsctx->nToRead = wsctx->header.headerLen + wsctx->header.payloadLen;
|
||||
|
||||
- if (ret < 2) {
|
||||
- /* save errno because rfbErr() will tamper it */
|
||||
- if (-1 == ret) {
|
||||
- int olderrno = errno;
|
||||
- rfbErr("%s: peek; %m\n", __func__);
|
||||
- errno = olderrno;
|
||||
- } else if (0 == ret) {
|
||||
- result = 0;
|
||||
- } else {
|
||||
- errno = EAGAIN;
|
||||
- }
|
||||
- goto spor;
|
||||
- }
|
||||
+ /* set payload pointer just after header */
|
||||
+ wsctx->writePos = wsctx->codeBufDecode + wsctx->nReadRaw;
|
||||
|
||||
- opcode = header->b0 & 0x0f;
|
||||
- /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
|
||||
- flength = header->b1 & 0x7f;
|
||||
+ wsctx->readPos = (unsigned char *)(wsctx->codeBufDecode + wsctx->header.headerLen);
|
||||
|
||||
- /*
|
||||
- * 4.3. Client-to-Server Masking
|
||||
- *
|
||||
- * The client MUST mask all frames sent to the server. A server MUST
|
||||
- * close the connection upon receiving a frame with the MASK bit set to 0.
|
||||
- **/
|
||||
- if (!(header->b1 & 0x80)) {
|
||||
- rfbErr("%s: got frame without mask\n", __func__, ret);
|
||||
- errno = EIO;
|
||||
- goto spor;
|
||||
- }
|
||||
-
|
||||
- if (flength < 126) {
|
||||
- fhlen = 2;
|
||||
- mask = header->u.m;
|
||||
- } else if (flength == 126 && 4 <= ret) {
|
||||
- flength = WS_NTOH16(header->u.s16.l16);
|
||||
- fhlen = 4;
|
||||
- mask = header->u.s16.m16;
|
||||
- } else if (flength == 127 && 10 <= ret) {
|
||||
- flength = WS_NTOH64(header->u.s64.l64);
|
||||
- fhlen = 10;
|
||||
- mask = header->u.s64.m64;
|
||||
- } else {
|
||||
- /* Incomplete frame header */
|
||||
- rfbErr("%s: incomplete frame header\n", __func__, ret);
|
||||
- errno = EIO;
|
||||
- goto spor;
|
||||
- }
|
||||
+ rfbLog("header complete: state=%d flen=%d writeTo=%p\n", wsctx->hybiDecodeState, wsctx->nToRead, wsctx->writePos);
|
||||
+
|
||||
+ return WS_HYBI_STATE_DATA_NEEDED;
|
||||
+}
|
||||
|
||||
- /* absolute length of frame */
|
||||
- total = fhlen + flength + 4;
|
||||
- payload = buf + fhlen + 4; /* header length + mask */
|
||||
+static int
|
||||
+hybiWsFrameComplete(ws_ctx_t *wsctx)
|
||||
+{
|
||||
+ return wsctx != NULL && hybiRemaining(wsctx) == 0;
|
||||
+}
|
||||
|
||||
- if (-1 == (ret = ws_read(cl, buf, total))) {
|
||||
+static char *
|
||||
+hybiPayloadStart(ws_ctx_t *wsctx)
|
||||
+{
|
||||
+ return wsctx->codeBufDecode + wsctx->header.headerLen;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+/**
|
||||
+ * Read the remaining payload bytes from associated raw socket.
|
||||
+ *
|
||||
+ * - try to read remaining bytes from socket
|
||||
+ * - unmask all multiples of 4
|
||||
+ * - if frame incomplete but some bytes are left, these are copied to
|
||||
+ * the carry buffer
|
||||
+ * - if opcode is TEXT: Base64-decode all unmasked received bytes
|
||||
+ * - set state for reading decoded data
|
||||
+ * - reset write position to begin of buffer (+ header)
|
||||
+ * --> before we retrieve more data we let the caller clear all bytes
|
||||
+ * from the reception buffer
|
||||
+ * - execute return data routine
|
||||
+ *
|
||||
+ * Sets errno corresponding to what it gets from the underlying
|
||||
+ * socket or EIO if some internal sanity check fails.
|
||||
+ *
|
||||
+ * @param[in] cl client ptr with raw socket reference
|
||||
+ * @param[out] dst destination buffer
|
||||
+ * @param[in] len size of destination buffer
|
||||
+ * @param[out] sockRet emulated recv return value
|
||||
+ * @return next hybi decode state
|
||||
+ */
|
||||
+static int
|
||||
+hybiReadAndDecode(rfbClientPtr cl, char *dst, int len, int *sockRet)
|
||||
+{
|
||||
+ int n;
|
||||
+ int i;
|
||||
+ int toReturn;
|
||||
+ int toDecode;
|
||||
+ int bufsize;
|
||||
+ int nextRead;
|
||||
+ unsigned char *data;
|
||||
+ uint32_t *data32;
|
||||
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
||||
+
|
||||
+ /* if data was carried over, copy to start of buffer */
|
||||
+ memcpy(wsctx->writePos, wsctx->carryBuf, wsctx->carrylen);
|
||||
+ wsctx->writePos += wsctx->carrylen;
|
||||
+
|
||||
+ /* -1 accounts for potential '\0' terminator for base64 decoding */
|
||||
+ bufsize = wsctx->codeBufDecode + ARRAYSIZE(wsctx->codeBufDecode) - wsctx->writePos - 1;
|
||||
+ if (hybiRemaining(wsctx) > bufsize) {
|
||||
+ nextRead = bufsize;
|
||||
+ } else {
|
||||
+ nextRead = hybiRemaining(wsctx);
|
||||
+ }
|
||||
+
|
||||
+ rfbLog("calling read with buf=%p and len=%d (decodebuf=%p headerLen=%d\n)", wsctx->writePos, nextRead, wsctx->codeBufDecode, wsctx->header.headerLen);
|
||||
+
|
||||
+ if (wsctx->nReadRaw < wsctx->nToRead) {
|
||||
+ /* decode more data */
|
||||
+ if (-1 == (n = ws_read(cl, wsctx->writePos, nextRead))) {
|
||||
int olderrno = errno;
|
||||
rfbErr("%s: read; %m", __func__);
|
||||
errno = olderrno;
|
||||
- return ret;
|
||||
- } else if (ret < total) {
|
||||
- /* GT TODO: hmm? */
|
||||
- rfbLog("%s: read; got partial data\n", __func__);
|
||||
- } else {
|
||||
- buf[ret] = '\0';
|
||||
- }
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ } else if (n == 0) {
|
||||
+ *sockRet = 0;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
+ wsctx->nReadRaw += n;
|
||||
+ rfbLog("read %d bytes from socket; nRead=%d\n", n, wsctx->nReadRaw);
|
||||
+ } else {
|
||||
+ n = 0;
|
||||
+ }
|
||||
+
|
||||
+ wsctx->writePos += n;
|
||||
+
|
||||
+ if (wsctx->nReadRaw >= wsctx->nToRead) {
|
||||
+ if (wsctx->nReadRaw > wsctx->nToRead) {
|
||||
+ rfbErr("%s: internal error, read past websocket frame", __func__);
|
||||
+ errno=EIO;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ toDecode = wsctx->writePos - hybiPayloadStart(wsctx);
|
||||
+ rfbLog("toDecode=%d from n=%d carrylen=%d headerLen=%d\n", toDecode, n, wsctx->carrylen, wsctx->header.headerLen);
|
||||
+ if (toDecode < 0) {
|
||||
+ rfbErr("%s: internal error; negative number of bytes to decode: %d", __func__, toDecode);
|
||||
+ errno=EIO;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ /* for a possible base64 decoding, we decode multiples of 4 bytes until
|
||||
+ * the whole frame is received and carry over any remaining bytes in the carry buf*/
|
||||
+ data = (unsigned char *)hybiPayloadStart(wsctx);
|
||||
+ data32= (uint32_t *)data;
|
||||
+
|
||||
+ for (i = 0; i < (toDecode >> 2); i++) {
|
||||
+ data32[i] ^= wsctx->header.mask.u;
|
||||
+ }
|
||||
+ rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
|
||||
|
||||
- /* process 1 frame (32 bit op) */
|
||||
- payload32 = (uint32_t *)payload;
|
||||
- for (i = 0; i < flength / 4; i++) {
|
||||
- payload32[i] ^= mask.u;
|
||||
- }
|
||||
+ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
|
||||
/* process the remaining bytes (if any) */
|
||||
- for (i*=4; i < flength; i++) {
|
||||
- payload[i] ^= mask.c[i % 4];
|
||||
+ for (i*=4; i < toDecode; i++) {
|
||||
+ data[i] ^= wsctx->header.mask.c[i % 4];
|
||||
}
|
||||
|
||||
- switch (opcode) {
|
||||
- case WS_OPCODE_CLOSE:
|
||||
- rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)payload)[0]));
|
||||
- errno = ECONNRESET;
|
||||
- break;
|
||||
- case WS_OPCODE_TEXT_FRAME:
|
||||
- if (-1 == (flength = __b64_pton(payload, (unsigned char *)wsctx->codeBufDecode, sizeof(wsctx->codeBufDecode)))) {
|
||||
- rfbErr("%s: Base64 decode error; %m\n", __func__);
|
||||
- break;
|
||||
- }
|
||||
- payload = wsctx->codeBufDecode;
|
||||
- /* fall through */
|
||||
- case WS_OPCODE_BINARY_FRAME:
|
||||
- if (flength > len) {
|
||||
- memcpy(wsctx->readbuf, payload + len, flength - len);
|
||||
- wsctx->readbufstart = 0;
|
||||
- wsctx->readbuflen = flength - len;
|
||||
- flength = len;
|
||||
- }
|
||||
- memcpy(dst, payload, flength);
|
||||
- result = flength;
|
||||
- break;
|
||||
+ /* all data is here, no carrying */
|
||||
+ wsctx->carrylen = 0;
|
||||
+ } else {
|
||||
+ /* carry over remaining, non-multiple-of-four bytes */
|
||||
+ wsctx->carrylen = toDecode - (i * 4);
|
||||
+ if (wsctx->carrylen < 0 || wsctx->carrylen > ARRAYSIZE(wsctx->carryBuf)) {
|
||||
+ rfbErr("%s: internal error, invalid carry over size: carrylen=%d, toDecode=%d, i=%d", __func__, wsctx->carrylen, toDecode, i);
|
||||
+ *sockRet = -1;
|
||||
+ errno = EIO;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
+ rfbLog("carrying over %d bytes from %p to %p\n", wsctx->carrylen, wsctx->writePos + (i * 4), wsctx->carryBuf);
|
||||
+ memcpy(wsctx->carryBuf, data + (i * 4), wsctx->carrylen);
|
||||
+ }
|
||||
+
|
||||
+ toReturn = toDecode - wsctx->carrylen;
|
||||
+
|
||||
+ switch (wsctx->header.opcode) {
|
||||
+ case WS_OPCODE_CLOSE:
|
||||
+
|
||||
+ /* this data is not returned as payload data */
|
||||
+ if (hybiWsFrameComplete(wsctx)) {
|
||||
+ rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)data)[0]));
|
||||
+ errno = ECONNRESET;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_FRAME_COMPLETE;
|
||||
+ } else {
|
||||
+ rfbErr("%s: close reason with long frame not supported", __func__);
|
||||
+ errno = EIO;
|
||||
+ *sockRet = -1;
|
||||
+ return WS_HYBI_STATE_ERR;
|
||||
+ }
|
||||
+ break;
|
||||
+ case WS_OPCODE_TEXT_FRAME:
|
||||
+ data[toReturn] = '\0';
|
||||
+ rfbLog("Initiate Base64 decoding in %p with max size %d and '\\0' at %p\n", data, bufsize, data + toReturn);
|
||||
+ if (-1 == (wsctx->readlen = __b64_pton((char *)data, data, bufsize))) {
|
||||
+ rfbErr("Base64 decode error in %s; data=%p bufsize=%d", __func__, data, bufsize);
|
||||
+ rfbErr("%s: Base64 decode error; %m\n", __func__);
|
||||
+ }
|
||||
+ wsctx->writePos = hybiPayloadStart(wsctx);
|
||||
+ break;
|
||||
+ case WS_OPCODE_BINARY_FRAME:
|
||||
+ wsctx->readlen = toReturn;
|
||||
+ wsctx->writePos = hybiPayloadStart(wsctx);
|
||||
+ break;
|
||||
+ default:
|
||||
+ rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)wsctx->header.opcode, wsctx->header.data->b0, wsctx->header.data->b1);
|
||||
+ }
|
||||
+ wsctx->readPos = data;
|
||||
+
|
||||
+ return hybiReturnData(dst, len, wsctx, sockRet);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * Read function for websocket-socket emulation.
|
||||
+ *
|
||||
+ * 0 1 2 3
|
||||
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+ * +-+-+-+-+-------+-+-------------+-------------------------------+
|
||||
+ * |F|R|R|R| opcode|M| Payload len | Extended payload length |
|
||||
+ * |I|S|S|S| (4) |A| (7) | (16/64) |
|
||||
+ * |N|V|V|V| |S| | (if payload len==126/127) |
|
||||
+ * | |1|2|3| |K| | |
|
||||
+ * +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
|
||||
+ * | Extended payload length continued, if payload len == 127 |
|
||||
+ * + - - - - - - - - - - - - - - - +-------------------------------+
|
||||
+ * | |Masking-key, if MASK set to 1 |
|
||||
+ * +-------------------------------+-------------------------------+
|
||||
+ * | Masking-key (continued) | Payload Data |
|
||||
+ * +-------------------------------- - - - - - - - - - - - - - - - +
|
||||
+ * : Payload Data continued ... :
|
||||
+ * + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
|
||||
+ * | Payload Data continued ... |
|
||||
+ * +---------------------------------------------------------------+
|
||||
+ *
|
||||
+ * Using the decode buffer, this function:
|
||||
+ * - reads the complete header from the underlying socket
|
||||
+ * - reads any remaining data bytes
|
||||
+ * - unmasks the payload data using the provided mask
|
||||
+ * - decodes Base64 encoded text data
|
||||
+ * - copies len bytes of decoded payload data into dst
|
||||
+ *
|
||||
+ * Emulates a read call on a socket.
|
||||
+ */
|
||||
+static int
|
||||
+webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
|
||||
+{
|
||||
+ int result = -1;
|
||||
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
||||
+ /* int fin; */ /* not used atm */
|
||||
+
|
||||
+ /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
|
||||
+ rfbLog("%s_enter: len=%d; "
|
||||
+ "CTX: readlen=%d readPos=%p "
|
||||
+ "writeTo=%p "
|
||||
+ "state=%d toRead=%d remaining=%d "
|
||||
+ " nReadRaw=%d carrylen=%d carryBuf=%p\n",
|
||||
+ __func__, len,
|
||||
+ wsctx->readlen, wsctx->readPos,
|
||||
+ wsctx->writePos,
|
||||
+ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
|
||||
+ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf);
|
||||
+
|
||||
+ switch (wsctx->hybiDecodeState){
|
||||
+ case WS_HYBI_STATE_HEADER_PENDING:
|
||||
+ wsctx->hybiDecodeState = hybiReadHeader(cl, &result);
|
||||
+ if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
|
||||
+ goto spor;
|
||||
+ }
|
||||
+ if (wsctx->hybiDecodeState != WS_HYBI_STATE_HEADER_PENDING) {
|
||||
+
|
||||
+ /* when header is complete, try to read some more data */
|
||||
+ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
|
||||
+ }
|
||||
+ break;
|
||||
+ case WS_HYBI_STATE_DATA_AVAILABLE:
|
||||
+ wsctx->hybiDecodeState = hybiReturnData(dst, len, wsctx, &result);
|
||||
+ break;
|
||||
+ case WS_HYBI_STATE_DATA_NEEDED:
|
||||
+ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
|
||||
+ break;
|
||||
+ case WS_HYBI_STATE_CLOSE_REASON_PENDING:
|
||||
+ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
|
||||
+ break;
|
||||
default:
|
||||
- rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)opcode, header->b0, header->b1);
|
||||
+ /* invalid state */
|
||||
+ rfbErr("%s: called with invalid state %d\n", wsctx->hybiDecodeState);
|
||||
+ result = -1;
|
||||
+ errno = EIO;
|
||||
+ wsctx->hybiDecodeState = WS_HYBI_STATE_ERR;
|
||||
}
|
||||
|
||||
/* single point of return, if someone has questions :-) */
|
||||
spor:
|
||||
/* rfbLog("%s: ret: %d/%d\n", __func__, result, len); */
|
||||
+ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
|
||||
+ rfbLog("frame received successfully, cleaning up: read=%d hlen=%d plen=%d\n", wsctx->header.nRead, wsctx->header.headerLen, wsctx->header.payloadLen);
|
||||
+ /* frame finished, cleanup state */
|
||||
+ hybiDecodeCleanup(wsctx);
|
||||
+ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
|
||||
+ hybiDecodeCleanup(wsctx);
|
||||
+ }
|
||||
+ rfbLog("%s_exit: len=%d; "
|
||||
+ "CTX: readlen=%d readPos=%p "
|
||||
+ "writePos=%p "
|
||||
+ "state=%d toRead=%d remaining=%d "
|
||||
+ "nRead=%d carrylen=%d carryBuf=%p "
|
||||
+ "result=%d\n",
|
||||
+ __func__, len,
|
||||
+ wsctx->readlen, wsctx->readPos,
|
||||
+ wsctx->writePos,
|
||||
+ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
|
||||
+ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf,
|
||||
+ result);
|
||||
return result;
|
||||
}
|
||||
|
||||
@@ -924,7 +1255,7 @@ webSocketsHasDataInBuffer(rfbClientPtr c
|
||||
{
|
||||
ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
||||
|
||||
- if (wsctx && wsctx->readbuflen)
|
||||
+ if (wsctx && wsctx->readlen)
|
||||
return TRUE;
|
||||
|
||||
return (cl->sslctx && rfbssl_pending(cl) > 0);
|
||||
@ -1,35 +0,0 @@
|
||||
From d87d25516b3992e52cf79e3cd6bd331b0baceecf Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Sun, 17 Nov 2019 16:21:18 +0100
|
||||
Subject: [PATCH] When connecting to a repeater, make sure to not leak memory
|
||||
|
||||
Really closes #253
|
||||
---
|
||||
examples/repeater.c | 1 +
|
||||
libvncclient/rfbproto.c | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/examples/repeater.c b/examples/repeater.c
|
||||
index cf0350ff..7047578d 100644
|
||||
--- a/examples/repeater.c
|
||||
+++ b/examples/repeater.c
|
||||
@@ -23,6 +23,7 @@ int main(int argc,char** argv)
|
||||
"Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
+ memset(id, 0, sizeof(id));
|
||||
snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]);
|
||||
repeaterHost = argv[2];
|
||||
repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
|
||||
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
|
||||
index 6c07d97e..675248fa 100644
|
||||
--- a/libvncclient/rfbproto.c
|
||||
+++ b/libvncclient/rfbproto.c
|
||||
@@ -402,6 +402,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
|
||||
|
||||
rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
|
||||
|
||||
+ memset(tmphost, 0, sizeof(tmphost));
|
||||
snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
|
||||
if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
|
||||
return FALSE;
|
||||
@ -1,25 +0,0 @@
|
||||
From 3fd03977c9b35800d73a865f167338cb4d05b0c1 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Sat, 6 Apr 2019 20:23:12 +0200
|
||||
Subject: [PATCH] libvncclient: bail out if unix socket name would overflow
|
||||
|
||||
Closes #291
|
||||
---
|
||||
libvncclient/sockets.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c
|
||||
index f042472f..821f85ca 100644
|
||||
--- a/libvncclient/sockets.c
|
||||
+++ b/libvncclient/sockets.c
|
||||
@@ -461,6 +461,10 @@ ConnectClientToUnixSock(const char *sockFile)
|
||||
int sock;
|
||||
struct sockaddr_un addr;
|
||||
addr.sun_family = AF_UNIX;
|
||||
+ if(strlen(sockFile) + 1 > sizeof(addr.sun_path)) {
|
||||
+ rfbClientErr("ConnectToUnixSock: socket file name too long\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
strcpy(addr.sun_path, sockFile);
|
||||
|
||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
@ -1,40 +0,0 @@
|
||||
Backport of:
|
||||
From 0cf1400c61850065de590d403f6d49e32882fd76 Mon Sep 17 00:00:00 2001
|
||||
From: Rolf Eike Beer <eike@sf-mail.de>
|
||||
Date: Tue, 28 May 2019 18:30:46 +0200
|
||||
Subject: [PATCH] fix crash because of unaligned accesses in
|
||||
hybiReadAndDecode()
|
||||
|
||||
[Ubuntu note: patch backported to apply on libvncserver/websockets.c instead of
|
||||
libvncserver/ws_decode.c
|
||||
-- Avital]
|
||||
|
||||
---
|
||||
libvncserver/ws_decode.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/libvncserver/websockets.c
|
||||
+++ b/libvncserver/websockets.c
|
||||
@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
|
||||
int bufsize;
|
||||
int nextRead;
|
||||
unsigned char *data;
|
||||
- uint32_t *data32;
|
||||
ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
||||
|
||||
/* if data was carried over, copy to start of buffer */
|
||||
@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
|
||||
/* for a possible base64 decoding, we decode multiples of 4 bytes until
|
||||
* the whole frame is received and carry over any remaining bytes in the carry buf*/
|
||||
data = (unsigned char *)hybiPayloadStart(wsctx);
|
||||
- data32= (uint32_t *)data;
|
||||
|
||||
for (i = 0; i < (toDecode >> 2); i++) {
|
||||
- data32[i] ^= wsctx->header.mask.u;
|
||||
+ uint32_t tmp;
|
||||
+ memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
|
||||
+ tmp ^= wsctx->header.mask.u;
|
||||
+ memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
|
||||
}
|
||||
rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
|
||||
|
||||
@ -1,80 +0,0 @@
|
||||
From 416d7662a3f3ac5131014c6011bf1364d57a27e2 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Junghans <tobydox@veyon.io>
|
||||
Date: Tue, 3 Nov 2020 13:58:36 -0600
|
||||
Subject: [PATCH] libvncserver: add missing NULL pointer checks
|
||||
|
||||
---
|
||||
libvncserver/rfbregion.c | 26 ++++++++++++++++----------
|
||||
libvncserver/rfbserver.c | 4 +++-
|
||||
2 files changed, 19 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/libvncserver/rfbregion.c b/libvncserver/rfbregion.c
|
||||
index 1947d7c4..1e59646a 100644
|
||||
--- a/libvncserver/rfbregion.c
|
||||
+++ b/libvncserver/rfbregion.c
|
||||
@@ -50,24 +50,30 @@ sraSpanDup(const sraSpan *src) {
|
||||
|
||||
static void
|
||||
sraSpanInsertAfter(sraSpan *newspan, sraSpan *after) {
|
||||
- newspan->_next = after->_next;
|
||||
- newspan->_prev = after;
|
||||
- after->_next->_prev = newspan;
|
||||
- after->_next = newspan;
|
||||
+ if (newspan && after) {
|
||||
+ newspan->_next = after->_next;
|
||||
+ newspan->_prev = after;
|
||||
+ after->_next->_prev = newspan;
|
||||
+ after->_next = newspan;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void
|
||||
sraSpanInsertBefore(sraSpan *newspan, sraSpan *before) {
|
||||
- newspan->_next = before;
|
||||
- newspan->_prev = before->_prev;
|
||||
- before->_prev->_next = newspan;
|
||||
- before->_prev = newspan;
|
||||
+ if (newspan && before) {
|
||||
+ newspan->_next = before;
|
||||
+ newspan->_prev = before->_prev;
|
||||
+ before->_prev->_next = newspan;
|
||||
+ before->_prev = newspan;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void
|
||||
sraSpanRemove(sraSpan *span) {
|
||||
- span->_prev->_next = span->_next;
|
||||
- span->_next->_prev = span->_prev;
|
||||
+ if (span) {
|
||||
+ span->_prev->_next = span->_next;
|
||||
+ span->_next->_prev = span->_prev;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index 1b4dd975..1f4230f2 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -218,6 +218,8 @@ rfbClientIteratorHead(rfbClientIteratorPtr i)
|
||||
rfbClientPtr
|
||||
rfbClientIteratorNext(rfbClientIteratorPtr i)
|
||||
{
|
||||
+ if (!i)
|
||||
+ return NULL;
|
||||
if(i->next == 0) {
|
||||
LOCK(rfbClientListMutex);
|
||||
i->next = i->screen->clientHead;
|
||||
@@ -242,7 +244,7 @@ rfbClientIteratorNext(rfbClientIteratorPtr i)
|
||||
void
|
||||
rfbReleaseClientIterator(rfbClientIteratorPtr iterator)
|
||||
{
|
||||
- IF_PTHREADS(if(iterator->next) rfbDecrClientRef(iterator->next));
|
||||
+ IF_PTHREADS(if(iterator && iterator->next) rfbDecrClientRef(iterator->next));
|
||||
free(iterator);
|
||||
}
|
||||
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Tue, 3 Nov 2020 13:44:14 -0600
|
||||
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size
|
||||
|
||||
Addresses GitHub Security Lab (GHSL) Vulnerability Report
|
||||
`GHSL-2020-063`.
|
||||
|
||||
Re #275
|
||||
---
|
||||
libvncclient/rfbproto.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
|
||||
index 94751a22..7ba00b55 100644
|
||||
--- a/libvncclient/rfbproto.c
|
||||
+++ b/libvncclient/rfbproto.c
|
||||
@@ -73,6 +73,8 @@
|
||||
# define snprintf _snprintf /* MSVC went straight to the underscored syntax */
|
||||
#endif
|
||||
|
||||
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
|
||||
+
|
||||
/*
|
||||
* rfbClientLog prints a time-stamped message to the log file (stderr).
|
||||
*/
|
||||
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
|
||||
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
|
||||
break;
|
||||
default:
|
||||
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
|
||||
+ return FALSE;
|
||||
buffer=malloc(msg.tc.length+1);
|
||||
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
|
||||
{
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,24 +0,0 @@
|
||||
From 673c07a75ed844d74676f3ccdcfdc706a7052dba Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Sun, 17 May 2020 13:47:21 +0200
|
||||
Subject: [PATCH] libvncserver/rfbserver: fix possible divide-by-zero
|
||||
|
||||
Closes #409
|
||||
---
|
||||
libvncserver/rfbserver.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index 269a0137..9cc29c52 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -3369,6 +3369,9 @@ rfbSendRectEncodingRaw(rfbClientPtr cl,
|
||||
char *fbptr = (cl->scaledScreen->frameBuffer + (cl->scaledScreen->paddedWidthInBytes * y)
|
||||
+ (x * (cl->scaledScreen->bitsPerPixel / 8)));
|
||||
|
||||
+ if(!h || !w)
|
||||
+ return TRUE; /* nothing to send */
|
||||
+
|
||||
/* Flush the buffer to guarantee correct alignment for translateFn(). */
|
||||
if (cl->ublen > 0) {
|
||||
if (!rfbSendUpdateBuf(cl))
|
||||
@ -1,82 +0,0 @@
|
||||
From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Thu, 10 Jan 2019 12:11:04 +0100
|
||||
Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in
|
||||
rfbserver.c:rfbProcessFileTransferReadBuffer())
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch contains the following three upstream patches squashed
|
||||
together and ported to 0.9.11 version:
|
||||
|
||||
commit 502821828ed00b4a2c4bef90683d0fd88ce495de
|
||||
Author: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Sun Oct 21 20:21:30 2018 +0200
|
||||
|
||||
LibVNCServer: fix heap out-of-bound write access
|
||||
|
||||
Closes #243
|
||||
|
||||
commit 15bb719c03cc70f14c36a843dcb16ed69b405707
|
||||
Author: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Sun Jan 6 15:13:56 2019 +0100
|
||||
|
||||
Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
|
||||
|
||||
re #273
|
||||
|
||||
commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec
|
||||
Author: Petr Písař <ppisar@redhat.com>
|
||||
Date: Mon Jan 7 10:40:01 2019 +0100
|
||||
|
||||
Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
|
||||
|
||||
This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
|
||||
out-of-bound write access in rfbProcessFileTransferReadBuffer() when
|
||||
reading a transfered file content in a server. The former fix did not
|
||||
work on platforms with a 32-bit int type (expected by rfbReadExact()).
|
||||
|
||||
CVE-2018-15127
|
||||
<https://github.com/LibVNC/libvncserver/issues/243>
|
||||
<https://github.com/LibVNC/libvncserver/issues/273>
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libvncserver/rfbserver.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index b50a7f4..1b4dd97 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
|
||||
int n=0;
|
||||
|
||||
FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
|
||||
+
|
||||
/*
|
||||
- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
|
||||
+ We later alloc length+1, which might wrap around on 32-bit systems if length equals
|
||||
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
|
||||
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
|
||||
+ without problems as length is a uint32_t.
|
||||
+ We also later pass length to rfbReadExact() that expects a signed int type and
|
||||
+ that might wrap on platforms with a 32-bit int type if length is bigger
|
||||
+ than 0X7FFFFFFF.
|
||||
*/
|
||||
+ if(length == SIZE_MAX || length > INT_MAX) {
|
||||
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
|
||||
+ rfbCloseClient(cl);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
if (length>0) {
|
||||
- buffer=malloc(length+1);
|
||||
+ buffer=malloc((size_t)length+1);
|
||||
if (buffer!=NULL) {
|
||||
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
|
||||
if (n != 0)
|
||||
--
|
||||
2.17.2
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Tue, 6 Mar 2018 11:58:02 +0100
|
||||
Subject: [PATCH] Limit client cut text length to 1 MB
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch constrains client text length to 1 MB. Otherwise a client
|
||||
could make server allocate 2 GB of memory and that seems to be to much
|
||||
to classify it as denial of service.
|
||||
|
||||
I keep the previous checks for maximal type values intentionally as
|
||||
a course of defensive coding. (You cannot never know how small the
|
||||
types are. And as a warning for people patching out this change not to
|
||||
introduce CVE-2018-7225 again.)
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libvncserver/rfbserver.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index a9561fc..0027343 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
|
||||
* argument. Here we check that the value fits into all of them to
|
||||
* prevent from misinterpretation and thus from accessing uninitialized
|
||||
* memory. CVE-2018-7225 */
|
||||
- if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
||||
+ /* But first to prevent from a denial-of-service by allocating to much
|
||||
+ * memory in the server, we impose a limit of 1 MB. */
|
||||
+ if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
||||
rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
|
||||
msg.cct.length);
|
||||
rfbCloseClient(cl);
|
||||
--
|
||||
2.13.6
|
||||
|
||||
@ -1,76 +0,0 @@
|
||||
From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 26 Feb 2018 13:48:00 +0100
|
||||
Subject: [PATCH] Validate client cut text length
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Client-provided unsigned 32-bit cut text length is passed to various
|
||||
functions that expects argument of a different type.
|
||||
|
||||
E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the
|
||||
RFB server leads to 4294967295 msg.cct.length value that in turn is
|
||||
interpreted as -1 by rfbReadExact() and thus uninitialized str buffer
|
||||
with potentially sensitive data is passed to subsequent functions.
|
||||
|
||||
This patch fixes it by checking for a maximal value that still can be
|
||||
processed correctly. It also corrects accepting length value of zero
|
||||
(malloc(0) is interpreted on differnet systems differently).
|
||||
|
||||
Whether a client can make the server allocate up to 2 GB and cause
|
||||
a denial of service on memory-tight systems is kept without answer.
|
||||
A possible solution would be adding an arbitrary memory limit that is
|
||||
deemed safe.
|
||||
|
||||
CVE-2018-7225
|
||||
<https://github.com/LibVNC/libvncserver/issues/218>
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libvncserver/rfbserver.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index 116c488..a9561fc 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -88,6 +88,12 @@
|
||||
#include <errno.h>
|
||||
/* strftime() */
|
||||
#include <time.h>
|
||||
+/* SIZE_MAX */
|
||||
+#include <stdint.h>
|
||||
+/* PRIu32 */
|
||||
+#include <inttypes.h>
|
||||
+/* INT_MAX */
|
||||
+#include <limits.h>
|
||||
|
||||
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
|
||||
#include "rfbssl.h"
|
||||
@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
|
||||
|
||||
msg.cct.length = Swap32IfLE(msg.cct.length);
|
||||
|
||||
- str = (char *)malloc(msg.cct.length);
|
||||
+ /* uint32_t input is passed to malloc()'s size_t argument,
|
||||
+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
|
||||
+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
|
||||
+ * argument. Here we check that the value fits into all of them to
|
||||
+ * prevent from misinterpretation and thus from accessing uninitialized
|
||||
+ * memory. CVE-2018-7225 */
|
||||
+ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
||||
+ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
|
||||
+ msg.cct.length);
|
||||
+ rfbCloseClient(cl);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /* Allow zero-length client cut text. */
|
||||
+ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
|
||||
if (str == NULL) {
|
||||
rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
|
||||
rfbCloseClient(cl);
|
||||
--
|
||||
2.13.6
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Sun, 17 Nov 2019 17:18:35 +0100
|
||||
Subject: [PATCH] libvncclient/cursor: limit width/height input values
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Avoids a possible heap overflow reported by Pavel Cheremushkin
|
||||
<Pavel.Cheremushkin@kaspersky.com>.
|
||||
|
||||
re #275
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libvncclient/cursor.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
|
||||
index 67f45726..40ffb3b0 100644
|
||||
--- a/libvncclient/cursor.c
|
||||
+++ b/libvncclient/cursor.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#define OPER_SAVE 0
|
||||
#define OPER_RESTORE 1
|
||||
|
||||
+#define MAX_CURSOR_SIZE 1024
|
||||
+
|
||||
#define RGB24_TO_PIXEL(bpp,r,g,b) \
|
||||
((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
|
||||
<< client->format.redShift | \
|
||||
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
|
||||
if (width * height == 0)
|
||||
return TRUE;
|
||||
|
||||
+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
|
||||
+ return FALSE;
|
||||
+
|
||||
/* Allocate memory for pixel data and temporary mask data. */
|
||||
if(client->rcSource)
|
||||
free(client->rcSource);
|
||||
--
|
||||
2.21.1
|
||||
|
||||
@ -1,22 +0,0 @@
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-05-17 11:26:44.383312391 -0500
|
||||
@@ -25,5 +25,5 @@ EXTRA_DIST=corre.c hextile.c rre.c tight
|
||||
$(libvncclient_la_OBJECTS): ../rfb/rfbclient.h
|
||||
|
||||
lib_LTLIBRARIES=libvncclient.la
|
||||
-libvncclient_la_LDFLAGS = -version-info 1:0:0
|
||||
+libvncclient_la_LDFLAGS = -version-info 0:0:0
|
||||
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-05-17 11:27:02.259459683 -0500
|
||||
@@ -66,7 +66,7 @@ libvncserver_la_LIBADD += $(LIBSYSTEMD_L
|
||||
endif
|
||||
|
||||
lib_LTLIBRARIES=libvncserver.la
|
||||
-libvncserver_la_LDFLAGS = -version-info 1:0:0
|
||||
+libvncserver_la_LDFLAGS = -version-info 0:0:0
|
||||
|
||||
if HAVE_RPM
|
||||
$(PACKAGE)-$(VERSION).tar.gz: dist
|
||||
@ -1,55 +0,0 @@
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo 2017-02-14 10:54:54.308402791 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-02-14 10:56:28.007379315 -0600
|
||||
@@ -13,8 +13,8 @@ endif
|
||||
endif
|
||||
|
||||
|
||||
-libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c ../common/minilzo.c $(TLSSRCS)
|
||||
-libvncclient_la_LIBADD=$(TLSLIBS)
|
||||
+libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c $(TLSSRCS)
|
||||
+libvncclient_la_LIBADD=$(TLSLIBS) -lminilzo
|
||||
|
||||
noinst_HEADERS=../common/lzodefs.h ../common/lzoconf.h ../common/minilzo.h tls.h
|
||||
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c 2017-02-14 10:54:54.309402801 -0600
|
||||
@@ -66,7 +66,7 @@
|
||||
#include <gcrypt.h>
|
||||
#endif
|
||||
|
||||
-#include "minilzo.h"
|
||||
+#include <lzo/minilzo.h>
|
||||
#include "tls.h"
|
||||
|
||||
#ifdef _MSC_VER
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo 2017-02-14 10:54:54.309402801 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-02-14 10:57:28.495009713 -0600
|
||||
@@ -53,11 +53,11 @@ endif
|
||||
LIB_SRCS = main.c rfbserver.c rfbregion.c auth.c sockets.c $(WEBSOCKETSSRCS) \
|
||||
stats.c corre.c hextile.c rre.c translate.c cutpaste.c \
|
||||
httpd.c cursor.c font.c \
|
||||
- draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ../common/minilzo.c ultra.c scale.c \
|
||||
+ draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ultra.c scale.c \
|
||||
$(ZLIBSRCS) $(TIGHTSRCS) $(TIGHTVNCFILETRANSFERSRCS)
|
||||
|
||||
libvncserver_la_SOURCES=$(LIB_SRCS)
|
||||
-libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS)
|
||||
+libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -lminilzo
|
||||
|
||||
if WITH_SYSTEMD
|
||||
AM_CPPFLAGS += -DLIBVNCSERVER_WITH_SYSTEMD
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c 2017-02-14 10:54:54.309402801 -0600
|
||||
@@ -8,7 +8,7 @@
|
||||
*/
|
||||
|
||||
#include <rfb/rfb.h>
|
||||
-#include "minilzo.h"
|
||||
+#include <lzo/minilzo.h>
|
||||
|
||||
/*
|
||||
* cl->beforeEncBuf contains pixel data in the client's format.
|
||||
@ -0,0 +1,15 @@
|
||||
diff -up libvncserver-LibVNCServer-0.9.13/libvncclient/tls_gnutls.c.crypto_policy libvncserver-LibVNCServer-0.9.13/libvncclient/tls_gnutls.c
|
||||
--- libvncserver-LibVNCServer-0.9.13/libvncclient/tls_gnutls.c.crypto_policy 2020-06-13 13:49:53.000000000 -0500
|
||||
+++ libvncserver-LibVNCServer-0.9.13/libvncclient/tls_gnutls.c 2020-07-02 08:00:54.304902893 -0500
|
||||
@@ -29,8 +29,8 @@
|
||||
#include "tls.h"
|
||||
|
||||
|
||||
-static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA:+SRP";
|
||||
-static const char *rfbAnonTLSPriority= "NORMAL:+ANON-DH";
|
||||
+static const char *rfbTLSPriority = "@SYSTEM";
|
||||
+static const char *rfbAnonTLSPriority= "@SYSTEM:+ANON-DH";
|
||||
|
||||
#define DH_BITS 1024
|
||||
static gnutls_dh_params_t rfbDHParams;
|
||||
diff -up libvncserver-LibVNCServer-0.9.13/libvncserver/rfbssl_gnutls.c.crypto_policy libvncserver-LibVNCServer-0.9.13/libvncserver/rfbssl_gnutls.c
|
||||
Loading…
Reference in new issue