77 lines
2.5 KiB
Diff
77 lines
2.5 KiB
Diff
From efbf51a42b51665fd70ea49b9c583a208cfd2deb Mon Sep 17 00:00:00 2001
|
|
From: Jon Maloy <jmaloy@redhat.com>
|
|
Date: Tue, 4 Jul 2023 10:41:22 +0200
|
|
Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
|
|
(CVE-2023-3255)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
|
RH-MergeRequest: 316: ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
|
|
RH-Bugzilla: 2218488
|
|
RH-Acked-by: Mauro Matteo Cascella <None>
|
|
RH-Commit: [1/1] f3cb05fb6e40261da5fe10f003fa3e57920469bb (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
|
|
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2218488
|
|
CVE: CVE-2023-3255
|
|
Upstream: Merged
|
|
|
|
commit d921fea338c1059a27ce7b75309d7a2e485f710b
|
|
Author: Mauro Matteo Cascella <mcascell@redhat.com>
|
|
Date: Tue Jul 4 10:41:22 2023 +0200
|
|
|
|
ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
|
|
|
|
A wrong exit condition may lead to an infinite loop when inflating a
|
|
valid zlib buffer containing some extra bytes in the `inflate_buffer`
|
|
function. The bug only occurs post-authentication. Return the buffer
|
|
immediately if the end of the compressed data has been reached
|
|
(Z_STREAM_END).
|
|
|
|
Fixes: CVE-2023-3255
|
|
Fixes: 0bf41cab ("ui/vnc: clipboard support")
|
|
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
|
|
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
|
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
|
|
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
---
|
|
ui/vnc-clipboard.c | 10 ++++------
|
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
|
|
index 67284b556c..c84599cfdb 100644
|
|
--- a/ui/vnc-clipboard.c
|
|
+++ b/ui/vnc-clipboard.c
|
|
@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
|
ret = inflate(&stream, Z_FINISH);
|
|
switch (ret) {
|
|
case Z_OK:
|
|
- case Z_STREAM_END:
|
|
break;
|
|
+ case Z_STREAM_END:
|
|
+ *size = stream.total_out;
|
|
+ inflateEnd(&stream);
|
|
+ return out;
|
|
case Z_BUF_ERROR:
|
|
out_len <<= 1;
|
|
if (out_len > (1 << 20)) {
|
|
@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
|
}
|
|
}
|
|
|
|
- *size = stream.total_out;
|
|
- inflateEnd(&stream);
|
|
-
|
|
- return out;
|
|
-
|
|
err_end:
|
|
inflateEnd(&stream);
|
|
err:
|
|
--
|
|
2.41.0
|
|
|