[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websock
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websocket frames |
|
Date: |
Tue, 31 Mar 2015 18:42:25 +0100 |
On 23 March 2015 at 22:58, Daniel P. Berrange <address@hidden> wrote:
> +int vncws_decode_frame_payload(Buffer *input,
> + size_t *payload_remain, WsMask *payload_mask,
> + uint8_t **payload, size_t *payload_size)
> +{
> + size_t i;
> + uint32_t *payload32;
>
> - if (input->offset < *frame_size) {
> - /* frame not complete */
> + *payload = input->buffer;
> + /* If we aren't at the end of the payload, then drop
> + * off the last bytes, so we're always multiple of 4
> + * for purpose of unmasking, except at end of payload
> + */
> + if (input->offset < *payload_remain) {
> + *payload_size = input->offset - (input->offset % 4);
> + } else {
> + *payload_size = input->offset;
This can set *payload_size to a value larger than
*payload_remain, if the input buffer happens to contain
further data after the end of this packet...
> + }
> + if (*payload_size == 0) {
> return 0;
> }
> -
> - *payload = input->buffer + header_size;
> + *payload_remain -= *payload_size;
...at which point this will end up making
*payload_remain negative. Disconnection happens shortly
afterwards.
Should the line
*payload_size = input->offset;
actually read
*payload_size = *payload_remain;
?
Making that change appears to fix the novnc disconnects
that Gerd reports.
thanks
-- PMM