]>
Commit | Line | Data |
---|---|---|
3dcc8d3b | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
c53dfb57 WB |
2 | From: "Daniel P. Berrange" <berrange@redhat.com> |
3 | Date: Mon, 9 Oct 2017 14:43:42 +0100 | |
3dcc8d3b | 4 | Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource |
c53dfb57 WB |
5 | |
6 | The websocket GSource is monitoring the size of the rawoutput | |
7 | buffer to determine if the channel can accepts more writes. | |
8 | The rawoutput buffer, however, is merely a temporary staging | |
9 | buffer before data is copied into the encoutput buffer. Thus | |
10 | its size will always be zero when the GSource runs. | |
11 | ||
12 | This flaw causes the encoutput buffer to grow without bound | |
13 | if the other end of the underlying data channel doesn't | |
14 | read data being sent. This can be seen with VNC if a client | |
15 | is on a slow WAN link and the guest OS is sending many screen | |
16 | updates. A malicious VNC client can act like it is on a slow | |
17 | link by playing a video in the guest and then reading data | |
18 | very slowly, causing QEMU host memory to expand arbitrarily. | |
19 | ||
20 | This issue is assigned CVE-2017-15268, publically reported in | |
21 | ||
22 | https://bugs.launchpad.net/qemu/+bug/1718964 | |
23 | ||
24 | Reviewed-by: Eric Blake <eblake@redhat.com> | |
25 | Signed-off-by: Daniel P. Berrange <berrange@redhat.com> | |
26 | --- | |
27 | io/channel-websock.c | 4 ++-- | |
28 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
29 | ||
30 | diff --git a/io/channel-websock.c b/io/channel-websock.c | |
31 | index 8fabadea2f..882bbb4cbc 100644 | |
32 | --- a/io/channel-websock.c | |
33 | +++ b/io/channel-websock.c | |
34 | @@ -26,7 +26,7 @@ | |
35 | #include "trace.h" | |
36 | ||
37 | ||
38 | -/* Max amount to allow in rawinput/rawoutput buffers */ | |
39 | +/* Max amount to allow in rawinput/encoutput buffers */ | |
40 | #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192 | |
41 | ||
42 | #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24 | |
43 | @@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source, | |
44 | if (wsource->wioc->rawinput.offset) { | |
45 | cond |= G_IO_IN; | |
46 | } | |
47 | - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { | |
48 | + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { | |
49 | cond |= G_IO_OUT; | |
50 | } | |
51 | ||
52 | -- | |
53 | 2.11.0 | |
54 |