[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] ui: reject extended clipboard message if not activated
|
From: |
Marc-André Lureau |
|
Subject: |
Re: [PATCH] ui: reject extended clipboard message if not activated |
|
Date: |
Mon, 15 Jan 2024 14:00:55 +0400 |
On Mon, Jan 15, 2024 at 1:52 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> The extended clipboard message protocol requires that the client
> activate the extension by requesting a psuedo encoding. If this
> is not done, then any extended clipboard messages from the client
> should be considered invalid and the client dropped.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
>
> The need for fix was identified as part of investigation for
> CVE-2023-6683. This does NOT, however, fix that CVE as it only
> addresses one of the problem codepaths that can trigger that
> CVE.
>
> ui/vnc.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 4f23a0fa79..3b2c71e653 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t
> *data, size_t len)
> }
>
> if (read_s32(data, 4) < 0) {
> + if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
> + error_report("vnc: extended clipboard message while
> disabled");
> + vnc_client_error(vs);
> + break;
> + }
> if (dlen < 4) {
> error_report("vnc: malformed payload (header less than 4
> bytes)"
> " in extended clipboard pseudo-encoding.");
> --
> 2.43.0
>
>
--
Marc-André Lureau