blob: 8830c30f870ddaca2070df1582184b0049bf8696 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
From b1bfadcbfd88970c6d48672e2dbcca8713c91411 Mon Sep 17 00:00:00 2001
From: Nicolas Ruff <nruff@google.com>
Date: Mon, 18 Aug 2014 15:16:16 +0200
Subject: [PATCH 1/3] Check malloc() return value on client->server
ClientCutText message. Client can send up to 2**32-1 bytes of text, and such
a large allocation is likely to fail in case of high memory pressure. This
would in a server crash (write at address 0).
---
server/libvncserver/rfbserver.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
index a880b53..2615dc3 100644
--- a/server/libvncserver/rfbserver.c
+++ b/server/libvncserver/rfbserver.c
@@ -853,6 +853,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
msg.cct.length = Swap32IfLE(msg.cct.length);
str = (char *)malloc(msg.cct.length);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ rfbCloseClient(cl);
+ return;
+ }
if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) {
if (n != 0)
--
2.20.1
|
