From 95efcfbf0c39e0b493509d2ad829b0d688641b41 Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Fri, 10 Oct 2014 13:51:48 +0200 Subject: [PATCH] Fix potential memory corruption in libvncclient. Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]): LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message. case rfbServerCutText: { char *buffer; if (!ReadFromRFBServer(client, ((char *)&msg) + 1, sz_rfbServerCutTextMsg - 1)) return FALSE; msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0 if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer return FALSE; buffer[msg.sct.length] = 0; << Attempt to write to buffer if (client->GotXCutText) client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer free(buffer); break; } If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0. --- libvncclient/sockets.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c index e50ef0e..c09b555 100644 --- a/libvncclient/sockets.c +++ b/libvncclient/sockets.c @@ -90,6 +90,13 @@ ReadFromRFBServer(rfbClient* client, char *out, unsigned int n) int nn=n; rfbClientLog("ReadFromRFBServer %d bytes\n",n); #endif + + /* Handle attempts to write to NULL out buffer that might occur + when an outside malloc() fails. For instance, memcpy() to NULL + results in undefined behaviour and probably memory corruption.*/ + if(!out) + return FALSE; + if (client->serverPort==-1) { /* vncrec playing */ rfbVNCRec* rec = client->vncRec;