qemu/ui
Daniel P. Berrange 2cdb5e142f CVE-2015-1779: limit size of HTTP headers from websockets clients
The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.

A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01 17:12:55 +02:00
..
Makefile.objs sdl2: move sdl_update to new sdl2-2d.c 2014-12-17 12:44:01 +01:00
cocoa.m block: delete cow block driver 2014-09-22 11:39:45 +01:00
console.c ui/console: fix OVERFLOW_BEFORE_WIDEN 2015-03-12 08:22:12 +01:00
curses.c input/curses: add kbd delay between keydown and keyup events 2014-06-04 08:40:42 +02:00
curses_keys.h janitor: add guards to headers 2012-12-19 08:31:31 +01:00
cursor.c ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor_hidden.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor_left_ptr.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
d3des.c ui: Removed unused functions 2015-03-10 08:15:33 +03:00
d3des.h ui: Removed unused functions 2015-03-10 08:15:33 +03:00
gtk.c gtk: do not call gtk_widget_get_window if drawing area is not initialized 2015-03-26 17:58:12 +01:00
input-keymap.c input: keymap: add meta keys 2014-05-26 08:42:43 +02:00
input-legacy.c ui: Removed unused functions 2015-03-10 08:15:33 +03:00
input.c hmp: Name HMP command handler functions hmp_COMMAND() 2015-02-18 11:58:30 +01:00
keymaps.c keymaps: correct keymaps.c following Qemu coding style 2014-12-10 10:08:12 +01:00
keymaps.h
qemu-pixman.c ui/pixman: add qemu_pixman_check_format 2015-01-19 13:33:26 +01:00
qemu-x509.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
sdl.c sdl: Fix crash when calling sdl_switch() with NULL surface 2015-03-12 12:54:23 +01:00
sdl2-2d.c ui/sdl2: Support shared surface for more pixman formats 2015-01-19 13:33:26 +01:00
sdl2-input.c sdl2: move keyboard input code to new sdl2-input.c 2014-12-17 12:43:27 +01:00
sdl2-keymap.h sdl2: keymap fixups 2014-09-16 08:07:05 +02:00
sdl2.c ui/sdl2: Support shared surface for more pixman formats 2015-01-19 13:33:26 +01:00
sdl_keysym.h ui/sdl2 : initial port to SDL 2.0 (v2.0) 2014-03-05 09:52:05 +01:00
sdl_zoom.c sdl: Fix heap smash in sdl_zoom_rgb{16,32} for int > 32 bits 2013-01-15 18:25:30 -06:00
sdl_zoom.h
sdl_zoom_template.h sdl: Fix heap smash in sdl_zoom_rgb{16,32} for int > 32 bits 2013-01-15 18:25:30 -06:00
spice-core.c spice: add unix address support 2015-01-22 11:18:41 +01:00
spice-display.c spice: fix coverity reported defect in display code 2015-01-22 11:18:41 +01:00
spice-input.c spice: input: Fix absolute mouse y coordinates 2014-03-24 08:41:21 +01:00
vgafont.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
vnc-auth-sasl.c vnc: drop display+ws_display from VncDisplay 2015-03-12 08:22:07 +01:00
vnc-auth-sasl.h aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
vnc-auth-vencrypt.c ui: remove unused 'wiremode' variable in VncState struct 2015-03-18 09:25:13 +01:00
vnc-auth-vencrypt.h
vnc-enc-hextile-template.h pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-hextile.c pixman/vnc: remove dead code. 2012-11-01 14:00:05 +01:00
vnc-enc-tight.c vnc-enc-tight: fix Arguments in wrong order 2014-12-10 10:08:12 +01:00
vnc-enc-tight.h vnc: tight add PNG encoding 2010-07-26 17:36:14 -05:00
vnc-enc-zlib.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
vnc-enc-zrle-template.c vnc: Add ZRLE and ZYWRLE encodings. 2011-02-23 16:28:28 -06:00
vnc-enc-zrle.c pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-zrle.h vnc: Add ZRLE and ZYWRLE encodings. 2011-02-23 16:28:28 -06:00
vnc-enc-zywrle-template.c Fix spelling in comments, documentation and messages 2011-12-14 11:09:44 +00:00
vnc-enc-zywrle.h misc: Spelling and grammar fixes in comments 2013-10-26 13:06:45 +04:00
vnc-jobs.c ui/vnc: Remove vnc_stop_worker_thread() 2015-03-10 08:15:33 +03:00
vnc-jobs.h ui/vnc: Remove vnc_stop_worker_thread() 2015-03-10 08:15:33 +03:00
vnc-palette.c ui/vnc-palette.c: Include headers it needs 2012-12-06 09:17:05 +01:00
vnc-palette.h misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
vnc-tls.c ui: remove separate gnutls_session for websockets server 2015-03-18 09:25:14 +01:00
vnc-tls.h ui: remove unused 'wiremode' variable in VncState struct 2015-03-18 09:25:13 +01:00
vnc-ws.c CVE-2015-1779: limit size of HTTP headers from websockets clients 2015-04-01 17:12:55 +02:00
vnc-ws.h CVE-2015-1779: incrementally decode websocket frames 2015-04-01 17:11:34 +02:00
vnc.c ui: remove separate gnutls_session for websockets server 2015-03-18 09:25:14 +01:00
vnc.h CVE-2015-1779: incrementally decode websocket frames 2015-04-01 17:11:34 +02:00
vnc_keysym.h qemu-char: add cyrillic characters 'numerosign' to VNC keysyms 2015-03-10 08:15:34 +03:00
x_keymap.c
x_keymap.h Delete useless 'extern' qualifiers for functions 2011-01-23 16:21:20 +00:00