[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v1 1/7] io: monitor encoutput buffer size from w
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH v1 1/7] io: monitor encoutput buffer size from websocket GSource |
Date: |
Tue, 10 Oct 2017 18:34:42 +0100 |
User-agent: |
Mutt/1.9.0 (2017-09-02) |
On Tue, Oct 10, 2017 at 11:51:00AM -0500, Eric Blake wrote:
> On 10/10/2017 10:43 AM, Daniel P. Berrange wrote:
> > The websocket GSource is monitoring the size of the rawoutput
> > buffer to determine if the channel can accepts more writes.
> > The rawoutput buffer, however, is merely a temporary staging
> > buffer before data is copied into the encoutput buffer. This
>
> s/This/Thus/
>
> > its size will always be zero when the GSource runs.
> >
> > This flaw causes the encoutput buffer to grow without bound
> > if the other end of the underlying data channel doesn't
> > read data being sent. This can be seen with VNC if a client
> > is on a slow WAN link and the guest OS is sending many screen
> > updates. A malicious VNC client can act like it is on a slow
> > link by playing a video in the guest and then reading data
> > very slowly, causing QEMU host memory to expand arbitrarily.
> >
> > This issue is assigned CVE-2017-????, publically reported in
>
> If we get the assignment in time, I'm sure you'll update this before the
> PULL request.
Yes, exactly the plan...
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v1 0/7] Limit websockets memory usage & other bug fixes, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 2/7] io: simplify websocket ping reply handling, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 3/7] io: get rid of qio_channel_websock_encode helper method, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 1/7] io: monitor encoutput buffer size from websocket GSource, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 5/7] io: get rid of bounce buffering in websock write path, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 4/7] io: pass a struct iovec into qio_channel_websock_encode, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 7/7] io: add trace points for websocket HTTP protocol headers, Daniel P. Berrange, 2017/10/10
- [Qemu-devel] [PATCH v1 6/7] io: cope with websock 'Connection' header having multiple values, Daniel P. Berrange, 2017/10/10