]>
Commit | Line | Data |
---|---|---|
941f1454 FG |
1 | From: Markus Koschany <apo@debian.org> |
2 | Date: Mon, 13 Feb 2017 21:38:02 +0100 | |
3 | Subject: CVE-2016-9577 and CVE-2016-9578 | |
4 | ||
5 | Bug-Debian: https://bugs.debian.org/854336 | |
6 | Origin: http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d | |
7 | --- | |
8 | server/main_channel.c | 3 +++ | |
9 | server/reds.c | 11 ++++++++++- | |
10 | 2 files changed, 13 insertions(+), 1 deletion(-) | |
11 | ||
12 | diff --git a/server/main_channel.c b/server/main_channel.c | |
13 | index 0ecc9df..1fc3915 100644 | |
14 | --- a/server/main_channel.c | |
15 | +++ b/server/main_channel.c | |
16 | @@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, | |
17 | ||
18 | if (type == SPICE_MSGC_MAIN_AGENT_DATA) { | |
19 | return reds_get_agent_data_buffer(mcc, size); | |
20 | + } else if (size > sizeof(main_chan->recv_buf)) { | |
21 | + /* message too large, caller will log a message and close the connection */ | |
22 | + return NULL; | |
23 | } else { | |
24 | return main_chan->recv_buf; | |
25 | } | |
26 | diff --git a/server/reds.c b/server/reds.c | |
27 | index 61bf735..4c60f58 100644 | |
28 | --- a/server/reds.c | |
29 | +++ b/server/reds.c | |
30 | @@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) | |
31 | link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); | |
32 | link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); | |
33 | ||
34 | + /* Prevent DoS. Currently we defined only 13 capabilities, | |
35 | + * I expect 1024 to be valid for quite a lot time */ | |
36 | + if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { | |
37 | + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); | |
38 | + reds_link_free(link); | |
39 | + return; | |
40 | + } | |
41 | + | |
42 | num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; | |
43 | caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); | |
44 | ||
45 | @@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done(void *opaque) | |
46 | ||
47 | reds->peer_minor_version = header->minor_version; | |
48 | ||
49 | - if (header->size < sizeof(SpiceLinkMess)) { | |
50 | + /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ | |
51 | + if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { | |
52 | reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); | |
53 | spice_warning("bad size %u", header->size); | |
54 | reds_link_free(link); |