[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] ui: reject extended clipboard message if not activated
|
From: |
Daniel P . Berrangé |
|
Subject: |
[PATCH] ui: reject extended clipboard message if not activated |
|
Date: |
Mon, 15 Jan 2024 09:51:19 +0000 |
The extended clipboard message protocol requires that the client
activate the extension by requesting a psuedo encoding. If this
is not done, then any extended clipboard messages from the client
should be considered invalid and the client dropped.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
The need for fix was identified as part of investigation for
CVE-2023-6683. This does NOT, however, fix that CVE as it only
addresses one of the problem codepaths that can trigger that
CVE.
ui/vnc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index 4f23a0fa79..3b2c71e653 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t
*data, size_t len)
}
if (read_s32(data, 4) < 0) {
+ if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
+ error_report("vnc: extended clipboard message while disabled");
+ vnc_client_error(vs);
+ break;
+ }
if (dlen < 4) {
error_report("vnc: malformed payload (header less than 4
bytes)"
" in extended clipboard pseudo-encoding.");
--
2.43.0
- [PATCH] ui: reject extended clipboard message if not activated,
Daniel P . Berrangé <=