diff options
author | Christophe Fergeau <cfergeau@redhat.com> | 2013-08-23 11:29:44 +0200 |
---|---|---|
committer | Christophe Fergeau <cfergeau@redhat.com> | 2013-10-30 10:40:50 +0100 |
commit | 8af619009660b24e0b41ad26b30289eea288fcc2 (patch) | |
tree | 817b95b2976a8500328b203932f91a8d918a3051 /configure.ac | |
parent | ef9a8bf05328d290f82613037f5419f0d5e87eb5 (diff) | |
download | spice-8af619009660b24e0b41ad26b30289eea288fcc2.tar.gz spice-8af619009660b24e0b41ad26b30289eea288fcc2.tar.xz spice-8af619009660b24e0b41ad26b30289eea288fcc2.zip |
Fix buffer overflow when decrypting client SPICE ticket
reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
RSA_private_decrypt which we call for the decryption expects the
destination buffer to be at least RSA_size(link->tiTicketing.rsa)
bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
is 60 while RSA_size() is 128, so we end up overflowing 'password'
when using long passwords (this was reproduced using the string:
'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
as a password).
When the overflow occurs, QEMU dies with:
*** stack smashing detected ***: qemu-system-x86_64 terminated
This commit ensures we use a corectly sized 'password' buffer,
and that it's correctly nul-terminated so that we can use strcmp
instead of strncmp. To keep using strncmp, we'd need to figure out
which one of 'password' and 'taTicket.password' is the smaller buffer,
and use that size.
This fixes rhbz#999839
Diffstat (limited to 'configure.ac')
0 files changed, 0 insertions, 0 deletions