| From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 |
| From: Frediano Ziglio <fziglio@redhat.com> |
| Date: Tue, 13 Dec 2016 14:39:48 +0000 |
| Subject: [PATCH] Prevent possible DoS attempts during protocol handshake |
| |
| The limit for link message is specified using a 32 bit unsigned integer. |
| This could cause possible DoS due to excessive memory allocations and |
| some possible crashes. |
| For instance a value >= 2^31 causes a spice_assert to be triggered in |
| async_read_handler (reds-stream.c) due to an integer overflow at this |
| line: |
| |
| int n = async->end - async->now; |
| |
| This could be easily triggered with a program like |
| |
| #!/usr/bin/env python |
| |
| import socket |
| import time |
| from struct import pack |
| |
| server = '127.0.0.1' |
| port = 5900 |
| |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| s.connect((server, port)) |
| data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa) |
| s.send(data) |
| |
| time.sleep(1) |
| |
| without requiring any authentication (the same can be done |
| with TLS). |
| |
| [Peter: fixes CVE-2016-9578] |
| Signed-off-by: Frediano Ziglio <fziglio@redhat.com> |
| Acked-by: Christophe Fergeau <cfergeau@redhat.com> |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| server/reds.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/server/reds.c b/server/reds.c |
| index f40b65c1..86a33d53 100644 |
| --- a/server/reds.c |
| +++ b/server/reds.c |
| @@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) |
| |
| reds->peer_minor_version = header->minor_version; |
| |
| - if (header->size < sizeof(SpiceLinkMess)) { |
| + /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ |
| + if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { |
| reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); |
| spice_warning("bad size %u", header->size); |
| reds_link_free(link); |
| -- |
| 2.11.0 |
| |