The extended clipboard message protocol requires that the client activate the extension by requesting a psuedo encoding. If this is not done, then any extended clipboard messages from the client should be considered invalid and the client dropped.
Signed-off-by: Daniel P. Berrangé <[email protected]> --- The need for fix was identified as part of investigation for CVE-2023-6683. This does NOT, however, fix that CVE as it only addresses one of the problem codepaths that can trigger that CVE. ui/vnc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ui/vnc.c b/ui/vnc.c index 4f23a0fa79..3b2c71e653 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) } if (read_s32(data, 4) < 0) { + if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) { + error_report("vnc: extended clipboard message while disabled"); + vnc_client_error(vs); + break; + } if (dlen < 4) { error_report("vnc: malformed payload (header less than 4 bytes)" " in extended clipboard pseudo-encoding."); -- 2.43.0
