1 From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
2 From: Frediano Ziglio <fziglio@redhat.com>
3 Date: Tue, 13 Dec 2016 14:39:48 +0000
4 Subject: [PATCH] Prevent possible DoS attempts during protocol handshake
6 The limit for link message is specified using a 32 bit unsigned integer.
7 This could cause possible DoS due to excessive memory allocations and
9 For instance a value >= 2^31 causes a spice_assert to be triggered in
10 async_read_handler (reds-stream.c) due to an integer overflow at this
13 int n = async->end - async->now;
15 This could be easily triggered with a program like
21 from struct import pack
26 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
27 s.connect((server, port))
28 data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
33 without requiring any authentication (the same can be done
36 [Peter: fixes CVE-2016-9578]
37 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
38 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
39 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
42 1 file changed, 2 insertions(+), 1 deletion(-)
44 diff --git a/server/reds.c b/server/reds.c
45 index f40b65c1..86a33d53 100644
48 @@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
50 reds->peer_minor_version = header->minor_version;
52 - if (header->size < sizeof(SpiceLinkMess)) {
53 + /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
54 + if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
55 reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
56 spice_warning("bad size %u", header->size);