diff options
Diffstat (limited to 'package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch')
| -rw-r--r-- | package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch new file mode 100644 index 0000000000..57a64d96b7 --- /dev/null +++ b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch @@ -0,0 +1,60 @@ +From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Tue, 13 Dec 2016 14:39:48 +0000 +Subject: [PATCH] Prevent possible DoS attempts during protocol handshake + +The limit for link message is specified using a 32 bit unsigned integer. +This could cause possible DoS due to excessive memory allocations and +some possible crashes. +For instance a value >= 2^31 causes a spice_assert to be triggered in +async_read_handler (reds-stream.c) due to an integer overflow at this +line: + + int n = async->end - async->now; + +This could be easily triggered with a program like + + #!/usr/bin/env python + + import socket + import time + from struct import pack + + server = '127.0.0.1' + port = 5900 + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((server, port)) + data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa) + s.send(data) + + time.sleep(1) + +without requiring any authentication (the same can be done +with TLS). + +[Peter: fixes CVE-2016-9578] +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +Acked-by: Christophe Fergeau <cfergeau@redhat.com> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + server/reds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/server/reds.c b/server/reds.c +index f40b65c1..86a33d53 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) + + reds->peer_minor_version = header->minor_version; + +- if (header->size < sizeof(SpiceLinkMess)) { ++ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ ++ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + spice_warning("bad size %u", header->size); + reds_link_free(link); +-- +2.11.0 + |
