1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: "Daniel P. Berrange" <berrange@redhat.com>
3 Date: Mon, 9 Oct 2017 14:43:42 +0100
4 Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
6 The websocket GSource is monitoring the size of the rawoutput
7 buffer to determine if the channel can accepts more writes.
8 The rawoutput buffer, however, is merely a temporary staging
9 buffer before data is copied into the encoutput buffer. Thus
10 its size will always be zero when the GSource runs.
12 This flaw causes the encoutput buffer to grow without bound
13 if the other end of the underlying data channel doesn't
14 read data being sent. This can be seen with VNC if a client
15 is on a slow WAN link and the guest OS is sending many screen
16 updates. A malicious VNC client can act like it is on a slow
17 link by playing a video in the guest and then reading data
18 very slowly, causing QEMU host memory to expand arbitrarily.
20 This issue is assigned CVE-2017-15268, publically reported in
22 https://bugs.launchpad.net/qemu/+bug/1718964
24 Reviewed-by: Eric Blake <eblake@redhat.com>
25 Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
27 io/channel-websock.c | 4 ++--
28 1 file changed, 2 insertions(+), 2 deletions(-)
30 diff --git a/io/channel-websock.c b/io/channel-websock.c
31 index 8fabadea2f..882bbb4cbc 100644
32 --- a/io/channel-websock.c
33 +++ b/io/channel-websock.c
38 -/* Max amount to allow in rawinput/rawoutput buffers */
39 +/* Max amount to allow in rawinput/encoutput buffers */
40 #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
42 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
43 @@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
44 if (wsource->wioc->rawinput.offset) {
47 - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
48 + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
projects / pve-qemu.git / blob