On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <[email protected]>
wrote:
> A wrong exit condition may lead to an infinite loop when inflating a
> valid zlib buffer containing some extra bytes in the `inflate_buffer`
> function. The bug only occurs post-authentication. Return the buffer
> immediately if the end of the compressed data has been reached
> (Z_STREAM_END).
>
> Fixes: CVE-2023-3255
> Fixes: 0bf41cab ("ui/vnc: clipboard support")
> Reported-by: Kevin Denis <[email protected]>
> Signed-off-by: Mauro Matteo Cascella <[email protected]>
>
Tested-by: Marc-André Lureau <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Note: we may want to disconnect the client when there are extra bytes in
the message, or print some warnings.
> ---
> ui/vnc-clipboard.c | 10 ++++------
> 1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> index 8aeadfaa21..c759be3438 100644
> --- a/ui/vnc-clipboard.c
> +++ b/ui/vnc-clipboard.c
> @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
> in_len, uint32_t *size)
> ret = inflate(&stream, Z_FINISH);
> switch (ret) {
> case Z_OK:
> - case Z_STREAM_END:
> break;
> + case Z_STREAM_END:
> + *size = stream.total_out;
> + inflateEnd(&stream);
> + return out;
> case Z_BUF_ERROR:
> out_len <<= 1;
> if (out_len > (1 << 20)) {
> @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
> in_len, uint32_t *size)
> }
> }
>
> - *size = stream.total_out;
> - inflateEnd(&stream);
> -
> - return out;
> -
> err_end:
> inflateEnd(&stream);
> err:
> --
> 2.41.0
>
>
>
--
Marc-André Lureau
