On Wed, Apr 01, 2015 at 02:41:57PM +0100, Peter Maydell wrote:
> On 1 April 2015 at 14:36, Gerd Hoffmann wrote:
> > Confirmed. Fixes the issues I've seen in testing and looks sensible to
> > me. Comment from Daniel would be nice, especially as I know next to
> > nothing about websockets, but he
On 1 April 2015 at 14:36, Gerd Hoffmann wrote:
> Confirmed. Fixes the issues I've seen in testing and looks sensible to
> me. Comment from Daniel would be nice, especially as I know next to
> nothing about websockets, but he seems to be off into the easter
> holidays already.
>
> So, with -rc2 w
Hi,
> > +if (input->offset < *payload_remain) {
> > +*payload_size = input->offset - (input->offset % 4);
> > +} else {
> > +*payload_size = input->offset;
>
> This can set *payload_size to a value larger than
> *payload_remain, if the input buffer happens to contain
> f
On 23 March 2015 at 22:58, Daniel P. Berrange wrote:
> -if (*payload_size < 126) {
> -header_size = 6;
> -mask = header->u.m;
> -} else if (*payload_size == 126 && input->offset >= 8) {
> -*payload_size = be16_to_cpu(header->u.s16.l16);
> -header_size = 8;
>
On 23 March 2015 at 22:58, Daniel P. Berrange wrote:
> +int vncws_decode_frame_payload(Buffer *input,
> + size_t *payload_remain, WsMask *payload_mask,
> + uint8_t **payload, size_t *payload_size)
> +{
> +size_t i;
> +uint32_t *pa
The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger
