Compare commits
No commits in common. 'c8' and 'i9-spice' have entirely different histories.
@ -1,2 +1 @@
|
|||||||
SOURCES/spice-0.14.3.tar.bz2
|
SOURCES/spice-0.15.1.tar.bz2
|
||||||
SOURCES/victortoso-E37A484F.keyring
|
|
||||||
|
@ -1,2 +1 @@
|
|||||||
f5968dd5df5f64805d093b4c85b4165959e6c65b SOURCES/spice-0.14.3.tar.bz2
|
d76413899bca7bd76abe6b4bed18964410e995f6 SOURCES/spice-0.15.1.tar.bz2
|
||||||
da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring
|
|
||||||
|
@ -1,34 +0,0 @@
|
|||||||
From d9cc2d4659950df230dfe30e5445b91d4c15604e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Date: Wed, 29 Apr 2020 15:09:13 +0100
|
|
||||||
Subject: [PATCH spice-common 1/4] quic: Check we have some data to start
|
|
||||||
decoding quic image
|
|
||||||
|
|
||||||
All paths already pass some data to quic_decode_begin but for the
|
|
||||||
test check it, it's not that expensive test.
|
|
||||||
Checking for not 0 is enough, all other words will potentially be
|
|
||||||
read calling more_io_words but we need one to avoid a potential
|
|
||||||
initial buffer overflow or deferencing an invalid pointer.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Acked-by: Uri Lublin <uril@redhat.com>
|
|
||||||
---
|
|
||||||
common/quic.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
|
|
||||||
index 55a5d6c..e03f3af 100644
|
|
||||||
--- a/subprojects/spice-common/common/quic.c
|
|
||||||
+++ b/subprojects/spice-common/common/quic.c
|
|
||||||
@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
|
|
||||||
int channels;
|
|
||||||
int bpc;
|
|
||||||
|
|
||||||
- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
|
|
||||||
+ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
|
|
||||||
return QUIC_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.25.4
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 19cd6fe85610b424349db2d97e2dd0e2761a4a05 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Date: Wed, 29 Apr 2020 15:10:24 +0100
|
|
||||||
Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin
|
|
||||||
|
|
||||||
Avoid some overflow in code due to images too big or
|
|
||||||
negative numbers.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Acked-by: Uri Lublin <uril@redhat.com>
|
|
||||||
---
|
|
||||||
common/quic.c | 13 +++++++++++++
|
|
||||||
1 file changed, 13 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
|
|
||||||
index e03f3af..890f128 100644
|
|
||||||
--- a/subprojects/spice-common/common/quic.c
|
|
||||||
+++ b/subprojects/spice-common/common/quic.c
|
|
||||||
@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
|
|
||||||
#define MINwminext 1
|
|
||||||
#define MAXwminext 100000000
|
|
||||||
|
|
||||||
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
|
|
||||||
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
|
|
||||||
+
|
|
||||||
typedef struct QuicFamily {
|
|
||||||
unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
|
|
||||||
unmodified GR codewords in the code */
|
|
||||||
@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
|
|
||||||
height = encoder->io_word;
|
|
||||||
decode_eat32bits(encoder);
|
|
||||||
|
|
||||||
+ if (width <= 0 || height <= 0) {
|
|
||||||
+ encoder->usr->warn(encoder->usr, "invalid size\n");
|
|
||||||
+ return QUIC_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* avoid too big images */
|
|
||||||
+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "image too large\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
quic_image_params(encoder, type, &channels, &bpc);
|
|
||||||
|
|
||||||
if (!encoder_reset_channels(encoder, channels, width, bpc)) {
|
|
||||||
--
|
|
||||||
2.25.4
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Date: Wed, 29 Apr 2020 15:11:38 +0100
|
|
||||||
Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
|
|
||||||
|
|
||||||
Avoid buffer overflows decoding images. On compression we compute
|
|
||||||
lengths till end of line so it won't cause regressions.
|
|
||||||
Proved by fuzzing the code.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Acked-by: Uri Lublin <uril@redhat.com>
|
|
||||||
---
|
|
||||||
common/quic_tmpl.c | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
|
|
||||||
index f0a4927..11e09f5 100644
|
|
||||||
--- a/subprojects/spice-common/common/quic_tmpl.c
|
|
||||||
+++ b/subprojects/spice-common/common/quic_tmpl.c
|
|
||||||
@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
|
|
||||||
do_run:
|
|
||||||
state->waitcnt = stopidx - i;
|
|
||||||
run_index = i;
|
|
||||||
- run_end = i + decode_state_run(encoder, state);
|
|
||||||
+ run_end = decode_state_run(encoder, state);
|
|
||||||
+ if (run_end < 0 || run_end > (end - i)) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "wrong RLE\n");
|
|
||||||
+ }
|
|
||||||
+ run_end += i;
|
|
||||||
|
|
||||||
for (; i < run_end; i++) {
|
|
||||||
UNCOMPRESS_PIX_START(&cur_row[i]);
|
|
||||||
--
|
|
||||||
2.25.4
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 57c6e6b00247ad289a27648213d7ad2306fe3931 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Date: Thu, 30 Apr 2020 10:19:09 +0100
|
|
||||||
Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in
|
|
||||||
find_bucket
|
|
||||||
|
|
||||||
Proved by fuzzing the code.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Acked-by: Uri Lublin <uril@redhat.com>
|
|
||||||
---
|
|
||||||
common/quic_family_tmpl.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c
|
|
||||||
index 8a5f7d2..6cc051b 100644
|
|
||||||
--- a/subprojects/spice-common/common/quic_family_tmpl.c
|
|
||||||
+++ b/subprojects/spice-common/common/quic_family_tmpl.c
|
|
||||||
@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
|
|
||||||
spice_assert(val < (0x1U << BPC));
|
|
||||||
}
|
|
||||||
|
|
||||||
- return channel->_buckets_ptrs[val];
|
|
||||||
+ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
|
|
||||||
+ * attempts. Is much faster then using comparisons and save us from such situations.
|
|
||||||
+ * Note that on normal build the check above won't be compiled as this code path
|
|
||||||
+ * is pretty hot and would cause speed regressions.
|
|
||||||
+ */
|
|
||||||
+ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
|
|
||||||
}
|
|
||||||
|
|
||||||
#undef FNAME
|
|
||||||
--
|
|
||||||
2.25.4
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From b8f4d7d2c7a3d08a82f4bc7588cdff15cee54292 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Date: Tue, 16 Jun 2020 11:49:19 +0100
|
|
||||||
Subject: [PATCH] websocket: Fix possible integer overflow
|
|
||||||
|
|
||||||
The shift of a uint_8 number by a number > 32 causes an overflow.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
||||||
Acked-by: Uri Lublin <ulublin@redhat.com>
|
|
||||||
---
|
|
||||||
server/websocket.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/websocket.c b/server/websocket.c
|
|
||||||
index f5df63f8..82b20b49 100644
|
|
||||||
--- a/server/websocket.c
|
|
||||||
+++ b/server/websocket.c
|
|
||||||
@@ -165,8 +165,9 @@ static uint64_t extract_length(const uint8_t *buf, int *used)
|
|
||||||
case LENGTH_64BIT:
|
|
||||||
*used += 8;
|
|
||||||
outlen = 0;
|
|
||||||
- for (i = 56; i >= 0; i -= 8) {
|
|
||||||
- outlen |= (*buf++) << i;
|
|
||||||
+ for (i = 0; i < 8; ++i) {
|
|
||||||
+ outlen <<= 8;
|
|
||||||
+ outlen |= *buf++;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 954eabaeb76a0f93a32210b6bf63157ad2c0fb22 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Uri Lublin <uril@redhat.com>
|
|
||||||
Date: Wed, 17 Jun 2020 11:52:05 +0300
|
|
||||||
Subject: [PATCH] test-websocket: check setsockopt return value
|
|
||||||
|
|
||||||
Acked-by: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
---
|
|
||||||
server/tests/test-websocket.c | 10 ++++++++--
|
|
||||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/tests/test-websocket.c b/server/tests/test-websocket.c
|
|
||||||
index 2115411e..701f5408 100644
|
|
||||||
--- a/server/tests/test-websocket.c
|
|
||||||
+++ b/server/tests/test-websocket.c
|
|
||||||
@@ -146,7 +146,10 @@ main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
|
|
||||||
int enable = 1;
|
|
||||||
- setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(enable));
|
|
||||||
+ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR,
|
|
||||||
+ (const void *) &enable, sizeof(enable)) < 0) {
|
|
||||||
+ err(1, "setsockopt reuseaddr");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (non_blocking) {
|
|
||||||
red_socket_set_non_blocking(sock, true);
|
|
||||||
@@ -200,7 +203,10 @@ handle_client(int new_sock)
|
|
||||||
}
|
|
||||||
|
|
||||||
int enable = 1;
|
|
||||||
- setsockopt(new_sock, SOL_TCP, TCP_NODELAY, (const void *) &enable, sizeof(enable));
|
|
||||||
+ if (setsockopt(new_sock, SOL_TCP, TCP_NODELAY,
|
|
||||||
+ (const void *) &enable, sizeof(enable)) < 0) {
|
|
||||||
+ err(1, "setsockopt nodelay");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
// wait header
|
|
||||||
wait_for(new_sock, POLLIN);
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From 95a0cfac8a1c8eff50f05e65df945da3bb501fc9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
|
|
||||||
Date: Thu, 3 Dec 2020 09:33:48 +0100
|
|
||||||
Subject: [PATCH] With OpenSSL 1.0.2 and earlier: disable client-side
|
|
||||||
renegotiation.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixed issue #49
|
|
||||||
Fixes BZ#1904459
|
|
||||||
|
|
||||||
Signed-off-by: Julien Ropé <jrope@redhat.com>
|
|
||||||
Reported-by: BlackKD
|
|
||||||
Acked-by: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
---
|
|
||||||
server/red-stream.cpp | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/server/red-stream.cpp b/server/red-stream.cpp
|
|
||||||
index 420433bd..c1f0f00c 100644
|
|
||||||
--- a/server/red-stream.c
|
|
||||||
+++ b/server/red-stream.c
|
|
||||||
@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream)
|
|
||||||
return RED_STREAM_SSL_STATUS_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef SSL_OP_NO_RENEGOTIATION
|
|
||||||
+ // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
|
|
||||||
+ stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
ssl_error = SSL_get_error(stream->priv->ssl, return_code);
|
|
||||||
if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
|
|
||||||
ssl_error == SSL_ERROR_WANT_WRITE)) {
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
|
|
||||||
Date: Wed, 2 Dec 2020 13:39:27 +0100
|
|
||||||
Subject: [PATCH 1/2] With OpenSSL 1.1: Disable client-initiated renegotiation.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes issue #49
|
|
||||||
Fixes BZ#1904459
|
|
||||||
|
|
||||||
Signed-off-by: Julien Ropé <jrope@redhat.com>
|
|
||||||
Reported-by: BlackKD
|
|
||||||
Acked-by: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
---
|
|
||||||
server/reds.cpp | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/server/reds.cpp b/server/reds.cpp
|
|
||||||
index fe69508e..f61086cb 100644
|
|
||||||
--- a/server/reds.c
|
|
||||||
+++ b/server/reds.c
|
|
||||||
@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds)
|
|
||||||
* When some other SSL/TLS version becomes obsolete, add it to this
|
|
||||||
* variable. */
|
|
||||||
long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
|
|
||||||
+#ifdef SSL_OP_NO_RENEGOTIATION
|
|
||||||
+ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
|
|
||||||
+ ssl_options |= SSL_OP_NO_RENEGOTIATION;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Global system initialization*/
|
|
||||||
openssl_global_init();
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in new issue