On Mon, Jan 15, 2024 at 1:52 PM Daniel P. Berrangé <[email protected]> wrote: > > The extended clipboard message protocol requires that the client > activate the extension by requesting a psuedo encoding. If this > is not done, then any extended clipboard messages from the client > should be considered invalid and the client dropped. > > Signed-off-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]> > --- > > The need for fix was identified as part of investigation for > CVE-2023-6683. This does NOT, however, fix that CVE as it only > addresses one of the problem codepaths that can trigger that > CVE. > > ui/vnc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/ui/vnc.c b/ui/vnc.c > index 4f23a0fa79..3b2c71e653 100644 > --- a/ui/vnc.c > +++ b/ui/vnc.c > @@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t > *data, size_t len) > } > > if (read_s32(data, 4) < 0) { > + if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) { > + error_report("vnc: extended clipboard message while > disabled"); > + vnc_client_error(vs); > + break; > + } > if (dlen < 4) { > error_report("vnc: malformed payload (header less than 4 > bytes)" > " in extended clipboard pseudo-encoding."); > -- > 2.43.0 > > -- Marc-André Lureau
