pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-27 15:45:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
58195c1951
spice/server
History
Christophe Fergeau 8af6190096 Fix buffer overflow when decrypting client SPICE ticket 
reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
RSA_private_decrypt which we call for the decryption expects the
destination buffer to be at least RSA_size(link->tiTicketing.rsa)
bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
is 60 while RSA_size() is 128, so we end up overflowing 'password'
when using long passwords (this was reproduced using the string:
'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
as a password).

When the overflow occurs, QEMU dies with:
*** stack smashing detected ***: qemu-system-x86_64 terminated

This commit ensures we use a corectly sized 'password' buffer,
and that it's correctly nul-terminated so that we can use strcmp
instead of strncmp. To keep using strncmp, we'd need to figure out
which one of 'password' and 'taTicket.password' is the smaller buffer,
and use that size.

This fixes rhbz#999839
2013-10-30 10:40:50 +01:00
..
tests server/tests: avoid using deprecated symbols 2013-10-07 16:33:20 +02:00
.gitignore gitignore: add generated_*, vim temps, pyc 2010-11-08 16:06:55 +02:00
agent-msg-filter.c server: Add support for filtering out agent file-xfer msgs (rhbz#961848) 2013-06-06 16:07:30 +02:00
agent-msg-filter.h server: Add support for filtering out agent file-xfer msgs (rhbz#961848) 2013-06-06 16:07:30 +02:00
char_device.c syntax-check: remove trailing whitespaces 2013-07-16 23:37:29 +03:00
char_device.h syntax-check: s/the the/the/ in a comment 2013-07-16 23:37:28 +03:00
demarshallers.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
dispatcher.c Don't do arithmetic on void * type, use uint8_t instead 2012-04-25 09:40:18 +01:00
dispatcher.h dispatcher.h: fix - s/#define MAIN_DISPATCHER_H/#define DISPATCHER_H 2013-04-22 16:30:54 -04:00
glz_encode_match_tmpl.c add #include <config.h> to all source files 2011-05-03 14:44:10 +02:00
glz_encode_tmpl.c Remove trailing whitespace from end of lines 2012-01-13 18:11:59 +02:00
glz_encoder_config.h Fix multiple printf format problems 2012-04-25 09:42:11 +01:00
glz_encoder_dictionary_protected.h server: s/max_encdoers/max_encoders/ 2012-08-30 17:08:09 +03:00
glz_encoder_dictionary.c server: s/max_encdoers/max_encoders/ 2012-08-30 17:08:09 +03:00
glz_encoder_dictionary.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
glz_encoder.c Remove trailing blank lines 2012-01-13 18:11:59 +02:00
glz_encoder.h Use the spice-common submodule 2012-03-25 18:59:10 +02:00
inputs_channel.c server: inputs s/relase/release 2013-10-07 16:33:20 +02:00
inputs_channel.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
jpeg_encoder.c Use the spice-common logging functions 2012-03-25 19:00:00 +02:00
jpeg_encoder.h Remove trailing whitespace from end of lines 2012-01-13 18:11:59 +02:00
main_channel.c main_channel: monitoring client connection status 2013-08-14 13:36:30 -04:00
main_channel.h Namespace RECEIVE_BUF_SIZE 2013-10-08 19:07:41 +02:00
main_dispatcher.c decouple disconnection of the main channel from client destruction 2013-07-29 11:35:17 -04:00
main_dispatcher.h decouple disconnection of the main channel from client destruction 2013-07-29 11:35:17 -04:00
Makefile.am Remove tunneling support 2013-10-28 11:12:27 +01:00
migration_protocol.h enable seamless migration and set migration protocol version 2012-08-27 09:13:14 +03:00
mjpeg_encoder.c red_worker: improve stream stats readability and ease of parsing 2013-06-24 15:23:34 -04:00
mjpeg_encoder.h mjpeg_encoder: add mjpeg_encoder_get_stats 2013-06-24 15:23:34 -04:00
red_bitmap_utils.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
red_channel.c Silence gcc false positive with -Wuninitialized 2013-10-28 11:12:20 +01:00
red_channel.h red_channel: cleanup of red_channel_client blocking methods 2013-09-26 10:48:40 -04:00
red_client_cache.h Use the spice-common logging functions 2012-03-25 19:00:00 +02:00
red_client_shared_cache.h Use the spice-common logging functions 2012-03-25 19:00:00 +02:00
red_common.h server/red_parse_qxl: add bitmap consistency check 2012-09-03 19:27:22 +03:00
red_dispatcher.c server: set dispatcher before calling attache_worker 2013-10-07 16:33:20 +02:00
red_dispatcher.h server: set dispatcher before calling attache_worker 2013-10-07 16:33:20 +02:00
red_memslots.c server: remove memslot unused functions 2013-10-01 16:23:59 +02:00
red_memslots.h server: remove memslot unused functions 2013-10-01 16:23:59 +02:00
red_parse_qxl.c red_parse_qxl: Change spice_error() to spice_warning() 2013-09-02 18:13:04 +02:00
red_parse_qxl.h Add support for QXLComposite to spice server 2012-08-24 13:44:42 -04:00
red_time.c server: move three functions to red_channel 2013-08-14 12:08:04 +03:00
red_time.h server: move three functions to red_channel 2013-08-14 12:08:04 +03:00
red_worker.c Fix 'recive' typo throughout the code base 2013-10-08 19:07:42 +02:00
red_worker.h server: move bit set/clear utilities out of red_worker.h 2013-08-14 12:08:04 +03:00
reds_gl_canvas.c Use the spice-common submodule 2012-03-25 18:59:10 +02:00
reds_gl_canvas.h Use the spice-common submodule 2012-03-25 18:59:10 +02:00
reds_sw_canvas.c Use the spice-common submodule 2012-03-25 18:59:10 +02:00
reds_sw_canvas.h Use the spice-common submodule 2012-03-25 18:59:10 +02:00
reds-private.h Fix 'recive' typo throughout the code base 2013-10-08 19:07:42 +02:00
reds.c Fix buffer overflow when decrypting client SPICE ticket 2013-10-30 10:40:50 +01:00
reds.h decouple disconnection of the main channel from client destruction 2013-07-29 11:35:17 -04:00
smartcard.c red_channel: monitor connection latency using MSG_PING 2013-04-22 16:30:54 -04:00
smartcard.h smartcard: use SpiceCharDeviceState for managing reading from the device 2012-07-03 14:13:42 +03:00
snd_worker.c Fix PlaybackeCommand typo 2013-10-09 19:03:37 +02:00
snd_worker.h snd_worker: support sending SPICE_MSG_PLAYBACK_LATENCY 2013-04-22 16:30:54 -04:00
spice_bitmap_utils.c spice_bitmap_utils: fix dump_bitmap 2013-08-22 16:09:26 -04:00
spice_bitmap_utils.h server: move surface_format_to_image_type to spice_bitmap_utils 2013-08-14 12:08:04 +03:00
spice_image_cache.c server: split spice_image_cache from red_worker 2013-08-14 12:08:04 +03:00
spice_image_cache.h server: split spice_image_cache from red_worker 2013-08-14 12:08:04 +03:00
spice_server_utils.h server: move bit set/clear utilities out of red_worker.h 2013-08-14 12:08:04 +03:00
spice_timer_queue.c spice_timer_queue: don't call timers repeatedly 2013-08-14 11:07:17 -04:00
spice_timer_queue.h server: spice_timer_queue 2013-04-22 16:30:54 -04:00
spice-experimental.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
spice-server.syms server: Add support for filtering out agent file-xfer msgs (rhbz#961848) 2013-06-06 16:07:30 +02:00
spice.h server: mark deprecated symbols 2013-10-07 16:33:20 +02:00
spicevmc.c red_channel: monitor connection latency using MSG_PING 2013-04-22 16:30:54 -04:00
stat.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
zlib_encoder.c Use the spice-common logging functions 2012-03-25 19:00:00 +02:00
zlib_encoder.h applying zlib compression over glz on WAN connection 2010-06-21 15:05:37 +02:00