package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch - buildroot - Git at Google

 From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
 From: Frediano Ziglio <fziglio@redhat.com>
 Date: Tue, 13 Dec 2016 14:39:48 +0000
 Subject: [PATCH] Prevent possible DoS attempts during protocol handshake

 The limit for link message is specified using a 32 bit unsigned integer.
 This could cause possible DoS due to excessive memory allocations and
 some possible crashes.
 For instance a value >= 2^31 causes a spice_assert to be triggered in
 async_read_handler (reds-stream.c) due to an integer overflow at this
 line:

    int n = async->end - async->now;

 This could be easily triggered with a program like

   #!/usr/bin/env python

   import socket
   import time
   from struct import pack

   server = '127.0.0.1'
   port = 5900

   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((server, port))
   data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
   s.send(data)

   time.sleep(1)

 without requiring any authentication (the same can be done
 with TLS).

 [Peter: fixes CVE-2016-9578]
 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  server/reds.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/server/reds.c b/server/reds.c
 index f40b65c1..86a33d53 100644
 --- a/server/reds.c
 +++ b/server/reds.c
 @@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)

      reds->peer_minor_version = header->minor_version;

 -    if (header->size < sizeof(SpiceLinkMess)) {
 +    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
 +    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
          reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
          spice_warning("bad size %u", header->size);
          reds_link_free(link);
 --
 2.11.0
	From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
	From: Frediano Ziglio <fziglio@redhat.com>
	Date: Tue, 13 Dec 2016 14:39:48 +0000
	Subject: [PATCH] Prevent possible DoS attempts during protocol handshake

	The limit for link message is specified using a 32 bit unsigned integer.
	This could cause possible DoS due to excessive memory allocations and
	some possible crashes.
	For instance a value >= 2^31 causes a spice_assert to be triggered in
	async_read_handler (reds-stream.c) due to an integer overflow at this
	line:

	int n = async->end - async->now;

	This could be easily triggered with a program like

	#!/usr/bin/env python

	import socket
	import time
	from struct import pack

	server = '127.0.0.1'
	port = 5900

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((server, port))
	data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
	s.send(data)

	time.sleep(1)

	without requiring any authentication (the same can be done
	with TLS).

	[Peter: fixes CVE-2016-9578]
	Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
	Acked-by: Christophe Fergeau <cfergeau@redhat.com>
	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	---
	server/reds.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	diff --git a/server/reds.c b/server/reds.c
	index f40b65c1..86a33d53 100644
	--- a/server/reds.c
	+++ b/server/reds.c
	@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)

	reds->peer_minor_version = header->minor_version;

	- if (header->size < sizeof(SpiceLinkMess)) {
	+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
	+ if (header->size < sizeof(SpiceLinkMess) \|\| header->size > 4096) {
	reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
	spice_warning("bad size %u", header->size);
	reds_link_free(link);
	--
	2.11.0