publicWagsHome/KasmVNC
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Be defensive about overflows in stream objects

Browse Source 
We use a lot of lengths given to us over the network, so be more
paranoid about them causing an overflow as otherwise an attacker
might trick us in to overwriting other memory.

This primarily affects the client which often gets lengths from the
server, but there are also some scenarios where the server might
theoretically be vulnerable.

Issue found by Pavel Cheremushkin from Kaspersky Lab.
This commit is contained in:
Pierre Ossman
2019-09-24 09:41:07 +02:00
committed by Lauri Kasanen
parent 259f1055cb
commit ae6cbd19e9
13 changed files with 75 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
common/rdr/ZlibOutStream.cxx
View File

@@ -127,8 +127,10 @@ size_t ZlibOutStream::overrun(size_t itemSize, size_t nItems)
}
}
if (itemSize * nItems > (size_t)(end - ptr))
nItems = (end - ptr) / itemSize;
size_t nAvail;
nAvail = (end - ptr) / itemSize;
if (nAvail < nItems)
return nAvail;
return nItems;
}