[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL v1 04/11] io: monitor encoutput buffer size from webs
From: |
Daniel P. Berrange |
Subject: |
[Qemu-devel] [PULL v1 04/11] io: monitor encoutput buffer size from websocket GSource |
Date: |
Mon, 16 Oct 2017 21:16:43 +0100 |
The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.
This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.
This issue is assigned CVE-2017-15268, publically reported in
https://bugs.launchpad.net/qemu/+bug/1718964
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
---
io/channel-websock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/io/channel-websock.c b/io/channel-websock.c
index d1d471f86e..04bcc059cd 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -28,7 +28,7 @@
#include <time.h>
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source)
if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}
--
2.13.5
- [Qemu-devel] [PULL v1 00/11] Merge QIO 2017-10-16, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 03/11] sockets: Handle race condition between binds to the same port, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 02/11] sockets: factor out create_fast_reuse_socket, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 01/11] sockets: factor out a new try_bind() function, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 04/11] io: monitor encoutput buffer size from websocket GSource,
Daniel P. Berrange <=
- [Qemu-devel] [PULL v1 06/11] io: get rid of qio_channel_websock_encode helper method, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 05/11] io: simplify websocket ping reply handling, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 09/11] io: cope with websock 'Connection' header having multiple values, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 08/11] io: get rid of bounce buffering in websock write path, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 07/11] io: pass a struct iovec into qio_channel_websock_encode, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 10/11] io: add trace points for websocket HTTP protocol headers, Daniel P. Berrange, 2017/10/16
- [Qemu-devel] [PULL v1 11/11] io: fix mem leak in websock error path, Daniel P. Berrange, 2017/10/16
- Re: [Qemu-devel] [PULL v1 00/11] Merge QIO 2017-10-16, Peter Maydell, 2017/10/17