mirror of
https://github.com/qemu/qemu.git
synced 2026-07-08 17:56:38 +00:00
ui/vnc: fix OOB read access in VNC SASL mechname array
When reading the SASL mechname array off the VNC connection, if
malicious, the received data may contain embedded NULs. If this
happens the memory buffer returned by g_strndup may be shorter
than the original data. Unfortunately the code continued to
index into this buffer with an offset equal to the original
length. This is a potential OOB read of the array.
Fixes: 5847d9e1 (ui/vnc: simplify and avoid strncpy)
Reported-by: boy juju <agx1657748706@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260521103353.1645561-2-berrange@redhat.com>
This commit is contained in:
committed by
Marc-André Lureau
parent
42d6d0e501
commit
ae18df638f
@@ -489,6 +489,8 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_
|
||||
char *mechname = g_strndup((const char *) data, len);
|
||||
trace_vnc_auth_sasl_mech_choose(vs, mechname);
|
||||
|
||||
/* If 'data' had embedded NUL the dup'd string might now be shorter */
|
||||
len = strlen(mechname);
|
||||
if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
|
||||
if (vs->sasl.mechlist[len] != '\0' &&
|
||||
vs->sasl.mechlist[len] != ',') {
|
||||
|
||||
Reference in New Issue
Block a user