1 From 89a1271a7687018cdbf2b7f92cf3d50d079e100e Mon Sep 17 00:00:00 2001
2 From: "Daniel P. Berrange" <berrange@redhat.com>
3 Date: Mon, 9 Oct 2017 14:43:42 +0100
4 Subject: [PATCH 21/23] io: monitor encoutput buffer size from websocket
7 The websocket GSource is monitoring the size of the rawoutput
8 buffer to determine if the channel can accepts more writes.
9 The rawoutput buffer, however, is merely a temporary staging
10 buffer before data is copied into the encoutput buffer. Thus
11 its size will always be zero when the GSource runs.
13 This flaw causes the encoutput buffer to grow without bound
14 if the other end of the underlying data channel doesn't
15 read data being sent. This can be seen with VNC if a client
16 is on a slow WAN link and the guest OS is sending many screen
17 updates. A malicious VNC client can act like it is on a slow
18 link by playing a video in the guest and then reading data
19 very slowly, causing QEMU host memory to expand arbitrarily.
21 This issue is assigned CVE-2017-15268, publically reported in
23 https://bugs.launchpad.net/qemu/+bug/1718964
25 Reviewed-by: Eric Blake <eblake@redhat.com>
26 Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
28 io/channel-websock.c | 4 ++--
29 1 file changed, 2 insertions(+), 2 deletions(-)
31 diff --git a/io/channel-websock.c b/io/channel-websock.c
32 index 8fabadea2f..882bbb4cbc 100644
33 --- a/io/channel-websock.c
34 +++ b/io/channel-websock.c
39 -/* Max amount to allow in rawinput/rawoutput buffers */
40 +/* Max amount to allow in rawinput/encoutput buffers */
41 #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
43 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
44 @@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
45 if (wsource->wioc->rawinput.offset) {
48 - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
49 + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
projects / pve-qemu.git / blob