openkylin
/
qemu
mirror of https://gitee.com/openkylin/qemu.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
qemu/ui
History
Daniel P. Berrange a2bebfd6e0 CVE-2015-1779: incrementally decode websocket frames 
The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger this denial of service before
the VNC server even performs any authentication.

The fix is to decode the header, and then incrementally
decode the payload data as it is needed. With this fix
the websocket decoder will allow at most 4k of data to
be buffered before decoding and processing payload.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]

  @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
  -        *payload_size = input->offset;
  +        *payload_size = *payload_remain;

[ kraxel: fix 32bit build ]

  @@ -306,7 +306,7 @@ struct VncState
  -    uint64_t ws_payload_remain;
  +    size_t ws_payload_remain;

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 		2015-04-01 17:11:34 +02:00
..
Makefile.objs sdl2: move sdl_update to new sdl2-2d.c 2014-12-17 12:44:01 +01:00
cocoa.m block: delete cow block driver 2014-09-22 11:39:45 +01:00
console.c ui/console: fix OVERFLOW_BEFORE_WIDEN 2015-03-12 08:22:12 +01:00
curses.c input/curses: add kbd delay between keydown and keyup events 2014-06-04 08:40:42 +02:00
curses_keys.h janitor: add guards to headers 2012-12-19 08:31:31 +01:00
cursor.c ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor_hidden.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor_left_ptr.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
d3des.c ui: Removed unused functions 2015-03-10 08:15:33 +03:00
d3des.h ui: Removed unused functions 2015-03-10 08:15:33 +03:00
gtk.c gtk: do not call gtk_widget_get_window if drawing area is not initialized 2015-03-26 17:58:12 +01:00
input-keymap.c input: keymap: add meta keys 2014-05-26 08:42:43 +02:00
input-legacy.c ui: Removed unused functions 2015-03-10 08:15:33 +03:00
input.c hmp: Name HMP command handler functions hmp_COMMAND() 2015-02-18 11:58:30 +01:00
keymaps.c keymaps: correct keymaps.c following Qemu coding style 2014-12-10 10:08:12 +01:00
keymaps.h
qemu-pixman.c ui/pixman: add qemu_pixman_check_format 2015-01-19 13:33:26 +01:00
qemu-x509.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
sdl.c sdl: Fix crash when calling sdl_switch() with NULL surface 2015-03-12 12:54:23 +01:00
sdl2-2d.c ui/sdl2: Support shared surface for more pixman formats 2015-01-19 13:33:26 +01:00
sdl2-input.c sdl2: move keyboard input code to new sdl2-input.c 2014-12-17 12:43:27 +01:00
sdl2-keymap.h sdl2: keymap fixups 2014-09-16 08:07:05 +02:00
sdl2.c ui/sdl2: Support shared surface for more pixman formats 2015-01-19 13:33:26 +01:00
sdl_keysym.h ui/sdl2 : initial port to SDL 2.0 (v2.0) 2014-03-05 09:52:05 +01:00
sdl_zoom.c sdl: Fix heap smash in sdl_zoom_rgb{16,32} for int > 32 bits 2013-01-15 18:25:30 -06:00
sdl_zoom.h
sdl_zoom_template.h sdl: Fix heap smash in sdl_zoom_rgb{16,32} for int > 32 bits 2013-01-15 18:25:30 -06:00
spice-core.c spice: add unix address support 2015-01-22 11:18:41 +01:00
spice-display.c spice: fix coverity reported defect in display code 2015-01-22 11:18:41 +01:00
spice-input.c spice: input: Fix absolute mouse y coordinates 2014-03-24 08:41:21 +01:00
vgafont.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
vnc-auth-sasl.c vnc: drop display+ws_display from VncDisplay 2015-03-12 08:22:07 +01:00
vnc-auth-sasl.h aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
vnc-auth-vencrypt.c ui: remove unused 'wiremode' variable in VncState struct 2015-03-18 09:25:13 +01:00
vnc-auth-vencrypt.h
vnc-enc-hextile-template.h pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-hextile.c pixman/vnc: remove dead code. 2012-11-01 14:00:05 +01:00
vnc-enc-tight.c vnc-enc-tight: fix Arguments in wrong order 2014-12-10 10:08:12 +01:00
vnc-enc-tight.h vnc: tight add PNG encoding 2010-07-26 17:36:14 -05:00
vnc-enc-zlib.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
vnc-enc-zrle-template.c vnc: Add ZRLE and ZYWRLE encodings. 2011-02-23 16:28:28 -06:00
vnc-enc-zrle.c pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-zrle.h vnc: Add ZRLE and ZYWRLE encodings. 2011-02-23 16:28:28 -06:00
vnc-enc-zywrle-template.c Fix spelling in comments, documentation and messages 2011-12-14 11:09:44 +00:00
vnc-enc-zywrle.h misc: Spelling and grammar fixes in comments 2013-10-26 13:06:45 +04:00
vnc-jobs.c ui/vnc: Remove vnc_stop_worker_thread() 2015-03-10 08:15:33 +03:00
vnc-jobs.h ui/vnc: Remove vnc_stop_worker_thread() 2015-03-10 08:15:33 +03:00
vnc-palette.c ui/vnc-palette.c: Include headers it needs 2012-12-06 09:17:05 +01:00
vnc-palette.h misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
vnc-tls.c ui: remove separate gnutls_session for websockets server 2015-03-18 09:25:14 +01:00
vnc-tls.h ui: remove unused 'wiremode' variable in VncState struct 2015-03-18 09:25:13 +01:00
vnc-ws.c CVE-2015-1779: incrementally decode websocket frames 2015-04-01 17:11:34 +02:00
vnc-ws.h CVE-2015-1779: incrementally decode websocket frames 2015-04-01 17:11:34 +02:00
vnc.c ui: remove separate gnutls_session for websockets server 2015-03-18 09:25:14 +01:00
vnc.h CVE-2015-1779: incrementally decode websocket frames 2015-04-01 17:11:34 +02:00
vnc_keysym.h qemu-char: add cyrillic characters 'numerosign' to VNC keysyms 2015-03-10 08:15:34 +03:00
x_keymap.c
x_keymap.h Delete useless 'extern' qualifiers for functions 2011-01-23 16:21:20 +00:00