rpms/libvncserver
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libvncserver-0.9.11-17.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 09:42:52 -04:00 committed by Stepan Oksanichenko
parent 1d5c755613
commit 367ba629de
8 changed files with 972 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

694
SOURCES/libvncserver-0.9.11-CVE-2017-18922.patch Normal file
View File

@ -0,0 +1,694 @@
Backport of:
From aac95a9dcf4bbba87b76c72706c3221a842ca433 Mon Sep 17 00:00:00 2001
From: Andreas Weigel <andreaswe@securepoint.de>
Date: Wed, 15 Feb 2017 12:31:05 +0100
Subject: [PATCH] fix overflow and refactor websockets decode (Hybi)
fix critical heap-based buffer overflow which allowed easy modification
of a return address via an overwritten function pointer
fix bug causing connections to fail due a "one websocket frame = one
ws_read" assumption, which failed with LibVNCServer-0.9.11
refactor websocket Hybi decode to use a simple state machine for
decoding of websocket frames
[Ubuntu note: Renamed b64_pton to __b64_pton in patch to ensure patch can be
applied.
-- Avital]
---
libvncserver/websockets.c | 595 +++++++++++++++++++++++++++++---------
1 file changed, 463 insertions(+), 132 deletions(-)
--- a/libvncserver/websockets.c
+++ b/libvncserver/websockets.c
@@ -62,6 +62,9 @@
#define B64LEN(__x) (((__x + 2) / 3) * 12 / 3)
#define WSHLENMAX 14 /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */
+#define WS_HYBI_MASK_LEN 4
+
+#define ARRAYSIZE(a) ((sizeof(a) / sizeof((a[0]))) / (size_t)(!(sizeof(a) % sizeof((a[0])))))
enum {
WEBSOCKETS_VERSION_HIXIE,
@@ -78,20 +81,20 @@ static int gettid() {
typedef int (*wsEncodeFunc)(rfbClientPtr cl, const char *src, int len, char **dst);
typedef int (*wsDecodeFunc)(rfbClientPtr cl, char *dst, int len);
-typedef struct ws_ctx_s {
- char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
- char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
- char readbuf[8192];
- int readbufstart;
- int readbuflen;
- int dblen;
- char carryBuf[3]; /* For base64 carry-over */
- int carrylen;
- int version;
- int base64;
- wsEncodeFunc encode;
- wsDecodeFunc decode;
-} ws_ctx_t;
+
+enum {
+ /* header not yet received completely */
+ WS_HYBI_STATE_HEADER_PENDING,
+ /* data available */
+ WS_HYBI_STATE_DATA_AVAILABLE,
+ WS_HYBI_STATE_DATA_NEEDED,
+ /* received a complete frame */
+ WS_HYBI_STATE_FRAME_COMPLETE,
+ /* received part of a 'close' frame */
+ WS_HYBI_STATE_CLOSE_REASON_PENDING,
+ /* */
+ WS_HYBI_STATE_ERR
+};
typedef union ws_mask_s {
char c[4];
@@ -119,6 +122,38 @@ typedef struct __attribute__ ((__packed_
} u;
} ws_header_t;
+typedef struct ws_header_data_s {
+ ws_header_t *data;
+ /** bytes read */
+ int nRead;
+ /** mask value */
+ ws_mask_t mask;
+ /** length of frame header including payload len, but without mask */
+ int headerLen;
+ /** length of the payload data */
+ int payloadLen;
+ /** opcode */
+ unsigned char opcode;
+} ws_header_data_t;
+
+typedef struct ws_ctx_s {
+ char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
+ char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
+ char *writePos;
+ unsigned char *readPos;
+ int readlen;
+ int hybiDecodeState;
+ char carryBuf[3]; /* For base64 carry-over */
+ int carrylen;
+ int version;
+ int base64;
+ ws_header_data_t header;
+ int nReadRaw;
+ int nToRead;
+ wsEncodeFunc encode;
+ wsDecodeFunc decode;
+} ws_ctx_t;
+
enum
{
WS_OPCODE_CONTINUATION = 0x0,
@@ -179,6 +214,8 @@ static int webSocketsEncodeHixie(rfbClie
static int webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len);
static int webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len);
+static void hybiDecodeCleanup(ws_ctx_t *wsctx);
+
static int
min (int a, int b) {
return a < b ? a : b;
@@ -440,10 +477,11 @@ webSocketsHandshake(rfbClientPtr cl, cha
wsctx->decode = webSocketsDecodeHixie;
}
wsctx->base64 = base64;
+ hybiDecodeCleanup(wsctx);
cl->wsctx = (wsCtx *)wsctx;
return TRUE;
}
-
+
void
webSocketsGenMd5(char * target, char *key1, char *key2, char *key3)
{
@@ -635,146 +673,439 @@ webSocketsDecodeHixie(rfbClientPtr cl, c
}
static int
-webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
+hybiRemaining(ws_ctx_t *wsctx)
{
- char *buf, *payload;
- uint32_t *payload32;
- int ret = -1, result = -1;
- int total = 0;
- ws_mask_t mask;
- ws_header_t *header;
- int i;
- unsigned char opcode;
- ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
- int flength, fhlen;
- /* int fin; */ /* not used atm */
+ return wsctx->nToRead - wsctx->nReadRaw;
+}
- /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
+static void
+hybiDecodeCleanup(ws_ctx_t *wsctx)
+{
+ wsctx->header.payloadLen = 0;
+ wsctx->header.mask.u = 0;
+ wsctx->nReadRaw = 0;
+ wsctx->nToRead= 0;
+ wsctx->carrylen = 0;
+ wsctx->readPos = (unsigned char *)wsctx->codeBufDecode;
+ wsctx->readlen = 0;
+ wsctx->hybiDecodeState = WS_HYBI_STATE_HEADER_PENDING;
+ wsctx->writePos = NULL;
+ rfbLog("cleaned up wsctx\n");
+}
- if (wsctx->readbuflen) {
- /* simply return what we have */
- if (wsctx->readbuflen > len) {
- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, len);
- result = len;
- wsctx->readbuflen -= len;
- wsctx->readbufstart += len;
+/**
+ * Return payload data that has been decoded/unmasked from
+ * a websocket frame.
+ *
+ * @param[out] dst destination buffer
+ * @param[in] len bytes to copy to destination buffer
+ * @param[in,out] wsctx internal state of decoding procedure
+ * @param[out] number of bytes actually written to dst buffer
+ * @return next hybi decoding state
+ */
+static int
+hybiReturnData(char *dst, int len, ws_ctx_t *wsctx, int *nWritten)
+{
+ int nextState = WS_HYBI_STATE_ERR;
+
+ /* if we have something already decoded copy and return */
+ if (wsctx->readlen > 0) {
+ /* simply return what we have */
+ if (wsctx->readlen > len) {
+ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", len, wsctx->readPos, wsctx->readlen);
+ memcpy(dst, wsctx->readPos, len);
+ *nWritten = len;
+ wsctx->readlen -= len;
+ wsctx->readPos += len;
+ nextState = WS_HYBI_STATE_DATA_AVAILABLE;
+ } else {
+ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", wsctx->readlen, wsctx->readPos, wsctx->readlen);
+ memcpy(dst, wsctx->readPos, wsctx->readlen);
+ *nWritten = wsctx->readlen;
+ wsctx->readlen = 0;
+ wsctx->readPos = NULL;
+ if (hybiRemaining(wsctx) == 0) {
+ nextState = WS_HYBI_STATE_FRAME_COMPLETE;
} else {
- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, wsctx->readbuflen);
- result = wsctx->readbuflen;
- wsctx->readbuflen = 0;
- wsctx->readbufstart = 0;
+ nextState = WS_HYBI_STATE_DATA_NEEDED;
}
- goto spor;
}
+ rfbLog("after copy: readPos=%p, readLen=%d\n", wsctx->readPos, wsctx->readlen);
+ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_CLOSE_REASON_PENDING) {
+ nextState = WS_HYBI_STATE_CLOSE_REASON_PENDING;
+ }
+ return nextState;
+}
- buf = wsctx->codeBufDecode;
- header = (ws_header_t *)wsctx->codeBufDecode;
+/**
+ * Read an RFC 6455 websocket frame (IETF hybi working group).
+ *
+ * Internal state is updated according to bytes received and the
+ * decoding of header information.
+ *
+ * @param[in] cl client ptr with ptr to raw socket and ws_ctx_t ptr
+ * @param[out] sockRet emulated recv return value
+ * @return next hybi decoding state; WS_HYBI_STATE_HEADER_PENDING indicates
+ * that the header was not received completely.
+ */
+static int
+hybiReadHeader(rfbClientPtr cl, int *sockRet)
+{
+ int ret;
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+ char *headerDst = wsctx->codeBufDecode + wsctx->nReadRaw;
+ int n = WSHLENMAX - wsctx->nReadRaw;
+
+ rfbLog("header_read to %p with len=%d\n", headerDst, n);
+ ret = ws_read(cl, headerDst, n);
+ rfbLog("read %d bytes from socket\n", ret);
+ if (ret <= 0) {
+ if (-1 == ret) {
+ /* save errno because rfbErr() will tamper it */
+ int olderrno = errno;
+ rfbErr("%s: peek; %m\n", __func__);
+ errno = olderrno;
+ *sockRet = -1;
+ } else {
+ *sockRet = 0;
+ }
+ return WS_HYBI_STATE_ERR;
+ }
- ret = ws_peek(cl, buf, B64LEN(len) + WSHLENMAX);
+ wsctx->nReadRaw += ret;
+ if (wsctx->nReadRaw < 2) {
+ /* cannot decode header with less than two bytes */
+ errno = EAGAIN;
+ *sockRet = -1;
+ return WS_HYBI_STATE_HEADER_PENDING;
+ }
+
+ /* first two header bytes received; interpret header data and get rest */
+ wsctx->header.data = (ws_header_t *)wsctx->codeBufDecode;
+
+ wsctx->header.opcode = wsctx->header.data->b0 & 0x0f;
+
+ /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
+ wsctx->header.payloadLen = wsctx->header.data->b1 & 0x7f;
+ rfbLog("first header bytes received; opcode=%d lenbyte=%d\n", wsctx->header.opcode, wsctx->header.payloadLen);
+
+ /*
+ * 4.3. Client-to-Server Masking
+ *
+ * The client MUST mask all frames sent to the server. A server MUST
+ * close the connection upon receiving a frame with the MASK bit set to 0.
+ **/
+ if (!(wsctx->header.data->b1 & 0x80)) {
+ rfbErr("%s: got frame without mask ret=%d\n", __func__, ret);
+ errno = EIO;
+ *sockRet = -1;
+ return WS_HYBI_STATE_ERR;
+ }
+
+ if (wsctx->header.payloadLen < 126 && wsctx->nReadRaw >= 6) {
+ wsctx->header.headerLen = 2 + WS_HYBI_MASK_LEN;
+ wsctx->header.mask = wsctx->header.data->u.m;
+ } else if (wsctx->header.payloadLen == 126 && 8 <= wsctx->nReadRaw) {
+ wsctx->header.headerLen = 4 + WS_HYBI_MASK_LEN;
+ wsctx->header.payloadLen = WS_NTOH16(wsctx->header.data->u.s16.l16);
+ wsctx->header.mask = wsctx->header.data->u.s16.m16;
+ } else if (wsctx->header.payloadLen == 127 && 14 <= wsctx->nReadRaw) {
+ wsctx->header.headerLen = 10 + WS_HYBI_MASK_LEN;
+ wsctx->header.payloadLen = WS_NTOH64(wsctx->header.data->u.s64.l64);
+ wsctx->header.mask = wsctx->header.data->u.s64.m64;
+ } else {
+ /* Incomplete frame header, try again */
+ rfbErr("%s: incomplete frame header; ret=%d\n", __func__, ret);
+ errno = EAGAIN;
+ *sockRet = -1;
+ return WS_HYBI_STATE_HEADER_PENDING;
+ }
+
+ /* absolute length of frame */
+ wsctx->nToRead = wsctx->header.headerLen + wsctx->header.payloadLen;
- if (ret < 2) {
- /* save errno because rfbErr() will tamper it */
- if (-1 == ret) {
- int olderrno = errno;
- rfbErr("%s: peek; %m\n", __func__);
- errno = olderrno;
- } else if (0 == ret) {
- result = 0;
- } else {
- errno = EAGAIN;
- }
- goto spor;
- }
+ /* set payload pointer just after header */
+ wsctx->writePos = wsctx->codeBufDecode + wsctx->nReadRaw;
- opcode = header->b0 & 0x0f;
- /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
- flength = header->b1 & 0x7f;
+ wsctx->readPos = (unsigned char *)(wsctx->codeBufDecode + wsctx->header.headerLen);
- /*
- * 4.3. Client-to-Server Masking
- *
- * The client MUST mask all frames sent to the server. A server MUST
- * close the connection upon receiving a frame with the MASK bit set to 0.
- **/
- if (!(header->b1 & 0x80)) {
- rfbErr("%s: got frame without mask\n", __func__, ret);
- errno = EIO;
- goto spor;
- }
-
- if (flength < 126) {
- fhlen = 2;
- mask = header->u.m;
- } else if (flength == 126 && 4 <= ret) {
- flength = WS_NTOH16(header->u.s16.l16);
- fhlen = 4;
- mask = header->u.s16.m16;
- } else if (flength == 127 && 10 <= ret) {
- flength = WS_NTOH64(header->u.s64.l64);
- fhlen = 10;
- mask = header->u.s64.m64;
- } else {
- /* Incomplete frame header */
- rfbErr("%s: incomplete frame header\n", __func__, ret);
- errno = EIO;
- goto spor;
- }
+ rfbLog("header complete: state=%d flen=%d writeTo=%p\n", wsctx->hybiDecodeState, wsctx->nToRead, wsctx->writePos);
+
+ return WS_HYBI_STATE_DATA_NEEDED;
+}
- /* absolute length of frame */
- total = fhlen + flength + 4;
- payload = buf + fhlen + 4; /* header length + mask */
+static int
+hybiWsFrameComplete(ws_ctx_t *wsctx)
+{
+ return wsctx != NULL && hybiRemaining(wsctx) == 0;
+}
- if (-1 == (ret = ws_read(cl, buf, total))) {
+static char *
+hybiPayloadStart(ws_ctx_t *wsctx)
+{
+ return wsctx->codeBufDecode + wsctx->header.headerLen;
+}
+
+
+/**
+ * Read the remaining payload bytes from associated raw socket.
+ *
+ * - try to read remaining bytes from socket
+ * - unmask all multiples of 4
+ * - if frame incomplete but some bytes are left, these are copied to
+ * the carry buffer
+ * - if opcode is TEXT: Base64-decode all unmasked received bytes
+ * - set state for reading decoded data
+ * - reset write position to begin of buffer (+ header)
+ * --> before we retrieve more data we let the caller clear all bytes
+ * from the reception buffer
+ * - execute return data routine
+ *
+ * Sets errno corresponding to what it gets from the underlying
+ * socket or EIO if some internal sanity check fails.
+ *
+ * @param[in] cl client ptr with raw socket reference
+ * @param[out] dst destination buffer
+ * @param[in] len size of destination buffer
+ * @param[out] sockRet emulated recv return value
+ * @return next hybi decode state
+ */
+static int
+hybiReadAndDecode(rfbClientPtr cl, char *dst, int len, int *sockRet)
+{
+ int n;
+ int i;
+ int toReturn;
+ int toDecode;
+ int bufsize;
+ int nextRead;
+ unsigned char *data;
+ uint32_t *data32;
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+
+ /* if data was carried over, copy to start of buffer */
+ memcpy(wsctx->writePos, wsctx->carryBuf, wsctx->carrylen);
+ wsctx->writePos += wsctx->carrylen;
+
+ /* -1 accounts for potential '\0' terminator for base64 decoding */
+ bufsize = wsctx->codeBufDecode + ARRAYSIZE(wsctx->codeBufDecode) - wsctx->writePos - 1;
+ if (hybiRemaining(wsctx) > bufsize) {
+ nextRead = bufsize;
+ } else {
+ nextRead = hybiRemaining(wsctx);
+ }
+
+ rfbLog("calling read with buf=%p and len=%d (decodebuf=%p headerLen=%d\n)", wsctx->writePos, nextRead, wsctx->codeBufDecode, wsctx->header.headerLen);
+
+ if (wsctx->nReadRaw < wsctx->nToRead) {
+ /* decode more data */
+ if (-1 == (n = ws_read(cl, wsctx->writePos, nextRead))) {
int olderrno = errno;
rfbErr("%s: read; %m", __func__);
errno = olderrno;
- return ret;
- } else if (ret < total) {
- /* GT TODO: hmm? */
- rfbLog("%s: read; got partial data\n", __func__);
- } else {
- buf[ret] = '\0';
- }
+ *sockRet = -1;
+ return WS_HYBI_STATE_ERR;
+ } else if (n == 0) {
+ *sockRet = 0;
+ return WS_HYBI_STATE_ERR;
+ }
+ wsctx->nReadRaw += n;
+ rfbLog("read %d bytes from socket; nRead=%d\n", n, wsctx->nReadRaw);
+ } else {
+ n = 0;
+ }
+
+ wsctx->writePos += n;
+
+ if (wsctx->nReadRaw >= wsctx->nToRead) {
+ if (wsctx->nReadRaw > wsctx->nToRead) {
+ rfbErr("%s: internal error, read past websocket frame", __func__);
+ errno=EIO;
+ *sockRet = -1;
+ return WS_HYBI_STATE_ERR;
+ }
+ }
+
+ toDecode = wsctx->writePos - hybiPayloadStart(wsctx);
+ rfbLog("toDecode=%d from n=%d carrylen=%d headerLen=%d\n", toDecode, n, wsctx->carrylen, wsctx->header.headerLen);
+ if (toDecode < 0) {
+ rfbErr("%s: internal error; negative number of bytes to decode: %d", __func__, toDecode);
+ errno=EIO;
+ *sockRet = -1;
+ return WS_HYBI_STATE_ERR;
+ }
+
+ /* for a possible base64 decoding, we decode multiples of 4 bytes until
+ * the whole frame is received and carry over any remaining bytes in the carry buf*/
+ data = (unsigned char *)hybiPayloadStart(wsctx);
+ data32= (uint32_t *)data;
+
+ for (i = 0; i < (toDecode >> 2); i++) {
+ data32[i] ^= wsctx->header.mask.u;
+ }
+ rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
- /* process 1 frame (32 bit op) */
- payload32 = (uint32_t *)payload;
- for (i = 0; i < flength / 4; i++) {
- payload32[i] ^= mask.u;
- }
+ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
/* process the remaining bytes (if any) */
- for (i*=4; i < flength; i++) {
- payload[i] ^= mask.c[i % 4];
+ for (i*=4; i < toDecode; i++) {
+ data[i] ^= wsctx->header.mask.c[i % 4];
}
- switch (opcode) {
- case WS_OPCODE_CLOSE:
- rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)payload)[0]));
- errno = ECONNRESET;
- break;
- case WS_OPCODE_TEXT_FRAME:
- if (-1 == (flength = __b64_pton(payload, (unsigned char *)wsctx->codeBufDecode, sizeof(wsctx->codeBufDecode)))) {
- rfbErr("%s: Base64 decode error; %m\n", __func__);
- break;
- }
- payload = wsctx->codeBufDecode;
- /* fall through */
- case WS_OPCODE_BINARY_FRAME:
- if (flength > len) {
- memcpy(wsctx->readbuf, payload + len, flength - len);
- wsctx->readbufstart = 0;
- wsctx->readbuflen = flength - len;
- flength = len;
- }
- memcpy(dst, payload, flength);
- result = flength;
- break;
+ /* all data is here, no carrying */
+ wsctx->carrylen = 0;
+ } else {
+ /* carry over remaining, non-multiple-of-four bytes */
+ wsctx->carrylen = toDecode - (i * 4);
+ if (wsctx->carrylen < 0 || wsctx->carrylen > ARRAYSIZE(wsctx->carryBuf)) {
+ rfbErr("%s: internal error, invalid carry over size: carrylen=%d, toDecode=%d, i=%d", __func__, wsctx->carrylen, toDecode, i);
+ *sockRet = -1;
+ errno = EIO;
+ return WS_HYBI_STATE_ERR;
+ }
+ rfbLog("carrying over %d bytes from %p to %p\n", wsctx->carrylen, wsctx->writePos + (i * 4), wsctx->carryBuf);
+ memcpy(wsctx->carryBuf, data + (i * 4), wsctx->carrylen);
+ }
+
+ toReturn = toDecode - wsctx->carrylen;
+
+ switch (wsctx->header.opcode) {
+ case WS_OPCODE_CLOSE:
+
+ /* this data is not returned as payload data */
+ if (hybiWsFrameComplete(wsctx)) {
+ rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)data)[0]));
+ errno = ECONNRESET;
+ *sockRet = -1;
+ return WS_HYBI_STATE_FRAME_COMPLETE;
+ } else {
+ rfbErr("%s: close reason with long frame not supported", __func__);
+ errno = EIO;
+ *sockRet = -1;
+ return WS_HYBI_STATE_ERR;
+ }
+ break;
+ case WS_OPCODE_TEXT_FRAME:
+ data[toReturn] = '\0';
+ rfbLog("Initiate Base64 decoding in %p with max size %d and '\\0' at %p\n", data, bufsize, data + toReturn);
+ if (-1 == (wsctx->readlen = __b64_pton((char *)data, data, bufsize))) {
+ rfbErr("Base64 decode error in %s; data=%p bufsize=%d", __func__, data, bufsize);
+ rfbErr("%s: Base64 decode error; %m\n", __func__);
+ }
+ wsctx->writePos = hybiPayloadStart(wsctx);
+ break;
+ case WS_OPCODE_BINARY_FRAME:
+ wsctx->readlen = toReturn;
+ wsctx->writePos = hybiPayloadStart(wsctx);
+ break;
+ default:
+ rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)wsctx->header.opcode, wsctx->header.data->b0, wsctx->header.data->b1);
+ }
+ wsctx->readPos = data;
+
+ return hybiReturnData(dst, len, wsctx, sockRet);
+}
+
+/**
+ * Read function for websocket-socket emulation.
+ *
+ * 0 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-------+-+-------------+-------------------------------+
+ * |F|R|R|R| opcode|M| Payload len | Extended payload length |
+ * |I|S|S|S| (4) |A| (7) | (16/64) |
+ * |N|V|V|V| |S| | (if payload len==126/127) |
+ * | |1|2|3| |K| | |
+ * +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
+ * | Extended payload length continued, if payload len == 127 |
+ * + - - - - - - - - - - - - - - - +-------------------------------+
+ * | |Masking-key, if MASK set to 1 |
+ * +-------------------------------+-------------------------------+
+ * | Masking-key (continued) | Payload Data |
+ * +-------------------------------- - - - - - - - - - - - - - - - +
+ * : Payload Data continued ... :
+ * + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+ * | Payload Data continued ... |
+ * +---------------------------------------------------------------+
+ *
+ * Using the decode buffer, this function:
+ * - reads the complete header from the underlying socket
+ * - reads any remaining data bytes
+ * - unmasks the payload data using the provided mask
+ * - decodes Base64 encoded text data
+ * - copies len bytes of decoded payload data into dst
+ *
+ * Emulates a read call on a socket.
+ */
+static int
+webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
+{
+ int result = -1;
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+ /* int fin; */ /* not used atm */
+
+ /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
+ rfbLog("%s_enter: len=%d; "
+ "CTX: readlen=%d readPos=%p "
+ "writeTo=%p "
+ "state=%d toRead=%d remaining=%d "
+ " nReadRaw=%d carrylen=%d carryBuf=%p\n",
+ __func__, len,
+ wsctx->readlen, wsctx->readPos,
+ wsctx->writePos,
+ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
+ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf);
+
+ switch (wsctx->hybiDecodeState){
+ case WS_HYBI_STATE_HEADER_PENDING:
+ wsctx->hybiDecodeState = hybiReadHeader(cl, &result);
+ if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
+ goto spor;
+ }
+ if (wsctx->hybiDecodeState != WS_HYBI_STATE_HEADER_PENDING) {
+
+ /* when header is complete, try to read some more data */
+ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
+ }
+ break;
+ case WS_HYBI_STATE_DATA_AVAILABLE:
+ wsctx->hybiDecodeState = hybiReturnData(dst, len, wsctx, &result);
+ break;
+ case WS_HYBI_STATE_DATA_NEEDED:
+ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
+ break;
+ case WS_HYBI_STATE_CLOSE_REASON_PENDING:
+ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
+ break;
default:
- rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)opcode, header->b0, header->b1);
+ /* invalid state */
+ rfbErr("%s: called with invalid state %d\n", wsctx->hybiDecodeState);
+ result = -1;
+ errno = EIO;
+ wsctx->hybiDecodeState = WS_HYBI_STATE_ERR;
}
/* single point of return, if someone has questions :-) */
spor:
/* rfbLog("%s: ret: %d/%d\n", __func__, result, len); */
+ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
+ rfbLog("frame received successfully, cleaning up: read=%d hlen=%d plen=%d\n", wsctx->header.nRead, wsctx->header.headerLen, wsctx->header.payloadLen);
+ /* frame finished, cleanup state */
+ hybiDecodeCleanup(wsctx);
+ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
+ hybiDecodeCleanup(wsctx);
+ }
+ rfbLog("%s_exit: len=%d; "
+ "CTX: readlen=%d readPos=%p "
+ "writePos=%p "
+ "state=%d toRead=%d remaining=%d "
+ "nRead=%d carrylen=%d carryBuf=%p "
+ "result=%d\n",
+ __func__, len,
+ wsctx->readlen, wsctx->readPos,
+ wsctx->writePos,
+ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
+ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf,
+ result);
return result;
}
@@ -924,7 +1255,7 @@ webSocketsHasDataInBuffer(rfbClientPtr c
{
ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
- if (wsctx && wsctx->readbuflen)
+ if (wsctx && wsctx->readlen)
return TRUE;
return (cl->sslctx && rfbssl_pending(cl) > 0);

35
SOURCES/libvncserver-0.9.11-CVE-2018-21247.patch Normal file
View File

@ -0,0 +1,35 @@
From d87d25516b3992e52cf79e3cd6bd331b0baceecf Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 Nov 2019 16:21:18 +0100
Subject: [PATCH] When connecting to a repeater, make sure to not leak memory
Really closes #253
---
examples/repeater.c | 1 +
libvncclient/rfbproto.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/examples/repeater.c b/examples/repeater.c
index cf0350ff..7047578d 100644
--- a/examples/repeater.c
+++ b/examples/repeater.c
@@ -23,6 +23,7 @@ int main(int argc,char** argv)
"Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]);
exit(1);
}
+ memset(id, 0, sizeof(id));
snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]);
repeaterHost = argv[2];
repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 6c07d97e..675248fa 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -402,6 +402,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
+ memset(tmphost, 0, sizeof(tmphost));
snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
return FALSE;

25
SOURCES/libvncserver-0.9.11-CVE-2019-20839.patch Normal file
View File

@ -0,0 +1,25 @@
From 3fd03977c9b35800d73a865f167338cb4d05b0c1 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sat, 6 Apr 2019 20:23:12 +0200
Subject: [PATCH] libvncclient: bail out if unix socket name would overflow
Closes #291
---
libvncclient/sockets.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c
index f042472f..821f85ca 100644
--- a/libvncclient/sockets.c
+++ b/libvncclient/sockets.c
@@ -461,6 +461,10 @@ ConnectClientToUnixSock(const char *sockFile)
int sock;
struct sockaddr_un addr;
addr.sun_family = AF_UNIX;
+ if(strlen(sockFile) + 1 > sizeof(addr.sun_path)) {
+ rfbClientErr("ConnectToUnixSock: socket file name too long\n");
+ return -1;
+ }
strcpy(addr.sun_path, sockFile);
sock = socket(AF_UNIX, SOCK_STREAM, 0);

40
SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch Normal file
View File

@ -0,0 +1,40 @@
Backport of:
From 0cf1400c61850065de590d403f6d49e32882fd76 Mon Sep 17 00:00:00 2001
From: Rolf Eike Beer <eike@sf-mail.de>
Date: Tue, 28 May 2019 18:30:46 +0200
Subject: [PATCH] fix crash because of unaligned accesses in
hybiReadAndDecode()
[Ubuntu note: patch backported to apply on libvncserver/websockets.c instead of
libvncserver/ws_decode.c
-- Avital]
---
libvncserver/ws_decode.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/libvncserver/websockets.c
+++ b/libvncserver/websockets.c
@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
int bufsize;
int nextRead;
unsigned char *data;
- uint32_t *data32;
ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
/* if data was carried over, copy to start of buffer */
@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
/* for a possible base64 decoding, we decode multiples of 4 bytes until
* the whole frame is received and carry over any remaining bytes in the carry buf*/
data = (unsigned char *)hybiPayloadStart(wsctx);
- data32= (uint32_t *)data;
for (i = 0; i < (toDecode >> 2); i++) {
- data32[i] ^= wsctx->header.mask.u;
+ uint32_t tmp;
+ memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
+ tmp ^= wsctx->header.mask.u;
+ memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
}
rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);

80
SOURCES/libvncserver-0.9.11-CVE-2020-14397.patch Normal file
View File

@ -0,0 +1,80 @@
From 416d7662a3f3ac5131014c6011bf1364d57a27e2 Mon Sep 17 00:00:00 2001
From: Tobias Junghans <tobydox@veyon.io>
Date: Tue, 3 Nov 2020 13:58:36 -0600
Subject: [PATCH] libvncserver: add missing NULL pointer checks
---
libvncserver/rfbregion.c | 26 ++++++++++++++++----------
libvncserver/rfbserver.c | 4 +++-
2 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/libvncserver/rfbregion.c b/libvncserver/rfbregion.c
index 1947d7c4..1e59646a 100644
--- a/libvncserver/rfbregion.c
+++ b/libvncserver/rfbregion.c
@@ -50,24 +50,30 @@ sraSpanDup(const sraSpan *src) {
static void
sraSpanInsertAfter(sraSpan *newspan, sraSpan *after) {
- newspan->_next = after->_next;
- newspan->_prev = after;
- after->_next->_prev = newspan;
- after->_next = newspan;
+ if (newspan && after) {
+ newspan->_next = after->_next;
+ newspan->_prev = after;
+ after->_next->_prev = newspan;
+ after->_next = newspan;
+ }
}
static void
sraSpanInsertBefore(sraSpan *newspan, sraSpan *before) {
- newspan->_next = before;
- newspan->_prev = before->_prev;
- before->_prev->_next = newspan;
- before->_prev = newspan;
+ if (newspan && before) {
+ newspan->_next = before;
+ newspan->_prev = before->_prev;
+ before->_prev->_next = newspan;
+ before->_prev = newspan;
+ }
}
static void
sraSpanRemove(sraSpan *span) {
- span->_prev->_next = span->_next;
- span->_next->_prev = span->_prev;
+ if (span) {
+ span->_prev->_next = span->_next;
+ span->_next->_prev = span->_prev;
+ }
}
static void
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 1b4dd975..1f4230f2 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -218,6 +218,8 @@ rfbClientIteratorHead(rfbClientIteratorPtr i)
rfbClientPtr
rfbClientIteratorNext(rfbClientIteratorPtr i)
{
+ if (!i)
+ return NULL;
if(i->next == 0) {
LOCK(rfbClientListMutex);
i->next = i->screen->clientHead;
@@ -242,7 +244,7 @@ rfbClientIteratorNext(rfbClientIteratorPtr i)
void
rfbReleaseClientIterator(rfbClientIteratorPtr iterator)
{
- IF_PTHREADS(if(iterator->next) rfbDecrClientRef(iterator->next));
+ IF_PTHREADS(if(iterator && iterator->next) rfbDecrClientRef(iterator->next));
free(iterator);
}
--
2.28.0

38
SOURCES/libvncserver-0.9.11-CVE-2020-14405.patch Normal file
View File

@ -0,0 +1,38 @@
From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Tue, 3 Nov 2020 13:44:14 -0600
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size
Addresses GitHub Security Lab (GHSL) Vulnerability Report
`GHSL-2020-063`.
Re #275
---
libvncclient/rfbproto.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 94751a22..7ba00b55 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -73,6 +73,8 @@
# define snprintf _snprintf /* MSVC went straight to the underscored syntax */
#endif
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
+
/*
* rfbClientLog prints a time-stamped message to the log file (stderr).
*/
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
break;
default:
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+ return FALSE;
buffer=malloc(msg.tc.length+1);
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
{
--
2.28.0

24
SOURCES/libvncserver-0.9.11-CVE-2020-25708.patch Normal file
View File

@ -0,0 +1,24 @@
From 673c07a75ed844d74676f3ccdcfdc706a7052dba Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 May 2020 13:47:21 +0200
Subject: [PATCH] libvncserver/rfbserver: fix possible divide-by-zero
Closes #409
---
libvncserver/rfbserver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 269a0137..9cc29c52 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -3369,6 +3369,9 @@ rfbSendRectEncodingRaw(rfbClientPtr cl,
char *fbptr = (cl->scaledScreen->frameBuffer + (cl->scaledScreen->paddedWidthInBytes * y)
+ (x * (cl->scaledScreen->bitsPerPixel / 8)));
+ if(!h || !w)
+ return TRUE; /* nothing to send */
+
/* Flush the buffer to guarantee correct alignment for translateFn(). */
if (cl->ublen > 0) {
if (!rfbSendUpdateBuf(cl))

64
SPECS/libvncserver.spec
View File

@ -1,7 +1,7 @@
Summary: Library to make writing a VNC server easy
Name: libvncserver
Version: 0.9.11
Release: 14%{?dist}
Release: 17%{?dist}
# NOTE: --with-filetransfer => GPLv2
License: GPLv2+
@ -41,6 +41,20 @@ Patch106: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in
# bug #1814343, <https://github.com/LibVNC/libvncserver/issues/275>,
# in upstream after 0.9.12
Patch107: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
# https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433
Patch108: libvncserver-0.9.11-CVE-2017-18922.patch
# https://github.com/LibVNC/libvncserver/pull/308
Patch109: libvncserver-0.9.11-CVE-2019-20840.patch
# https://github.com/LibVNC/libvncserver/issues/291
Patch110: libvncserver-0.9.11-CVE-2019-20839.patch
# https://github.com/LibVNC/libvncserver/issues/253
Patch111: libvncserver-0.9.11-CVE-2018-21247.patch
# https://github.com/LibVNC/libvncserver/issues/275
Patch112: libvncserver-0.9.11-CVE-2020-14405.patch
# https://github.com/LibVNC/libvncserver/pull/416
Patch113: libvncserver-0.9.11-CVE-2020-14397.patch
# https://github.com/LibVNC/libvncserver/issues/409
Patch114: libvncserver-0.9.11-CVE-2020-25708.patch
BuildRequires: autoconf
BuildRequires: automake
@ -88,31 +102,7 @@ developing applications that use %{name}.
%prep
%setup -q -n %{name}-LibVNCServer-%{version}
%patch4 -p1 -b .0004
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch100 -p1 -b .system_minilzo
# Nuke bundled minilzo
#rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
%patch101 -p1 -b .multilib
%patch102 -p1
%if 0%{?fedora} < 26
%patch103 -p1 -b .soname
%global soname 0
%else
%global soname 1
%endif
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%autosetup -p1 -n %{name}-LibVNCServer-%{version}
# Fix encoding
for file in ChangeLog ; do
@ -159,8 +149,8 @@ make -C test test ||:
%files
%license COPYING
%doc AUTHORS ChangeLog NEWS README TODO
%{_libdir}/libvncclient.so.%{soname}*
%{_libdir}/libvncserver.so.%{soname}*
%{_libdir}/libvncclient.so.0*
%{_libdir}/libvncserver.so.0*
%files devel
%{_bindir}/libvncserver-config
@ -172,6 +162,24 @@ make -C test test ||:
%changelog
* Tue Nov 24 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-17
- Fix CVE-2020-25708
Resolves: #1898078
* Tue Nov 03 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-16
- Fix CVE-2019-20839
Resolves: #1851032
- Fix CVE-2018-21247
Resolves: #1852516
- Fix CVE-2020-14405
Resolves: #1860527
- Fix CVE-2020-14397
Resolves: #1861152
* Mon Jul 27 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-15
- Fix CVE-2017-18922
Resolves: #1852356
* Wed Mar 18 2020 Petr Pisar <ppisar@redhat.com> - 0.9.11-14
- Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client)
(bug #1814343)