ui/vnc: fix OOB read access in VNC SASL mechname array

When reading the SASL mechname array off the VNC connection, if
malicious, the received data may contain embedded NULs. If this
happens the memory buffer returned by g_strndup may be shorter
than the original data. Unfortunately the code continued to
index into this buffer with an offset equal to the original
length. This is a potential OOB read of the array.

Fixes: 5847d9e1 (ui/vnc: simplify and avoid strncpy)
Reported-by: boy juju <agx1657748706@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260521103353.1645561-2-berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
2026-05-21 11:33:50 +01:00
committed by Marc-André Lureau
parent 42d6d0e501
commit ae18df638f

View File

@@ -489,6 +489,8 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_
char *mechname = g_strndup((const char *) data, len);
trace_vnc_auth_sasl_mech_choose(vs, mechname);
/* If 'data' had embedded NUL the dup'd string might now be shorter */
len = strlen(mechname);
if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
if (vs->sasl.mechlist[len] != '\0' &&
vs->sasl.mechlist[len] != ',') {