The VNC websockets protocol decoder has two places where it did not correctly limit its resource usage when processing data from the client. This can be abused by a malicious client to cause QEMU to consume all system memory, unless it is otherwise limited by ulimits and/or cgroups. These problems can be triggered in the websockets layer before the VNC protocol actually starts, so no client authentication will have taken place at this point.
Daniel P. Berrange (2): CVE-2015-1779: incrementally decode websocket frames CVE-2015-1779: limit size of HTTP headers from websockets clients ui/vnc-ws.c | 115 +++++++++++++++++++++++++++++++++++++++++------------------- ui/vnc-ws.h | 9 +++-- ui/vnc.h | 2 ++ 3 files changed, 88 insertions(+), 38 deletions(-) -- 2.1.0
