mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ui: validate NUL byte padding in SASL client data more strictly

Browse Source 
When the SASL data is non-NULL, the SASL protocol spec requires that
it is padded with a trailing NUL byte. QEMU discards the trailing
byte, but does not currently validate that it was in fact a NUL.
Apply strict validation to better detect any broken clients.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2024-09-16 13:49:11 +01:00
parent 829cb3d0ea
commit 1a225f57f3
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ui/vnc-auth-sasl.c
View File

@ -263,8 +263,14 @@ static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t le
/* NB, distinction of NULL vs "" is *critical* in SASL */ /* NB, distinction of NULL vs "" is *critical* in SASL */
if (datalen) { if (datalen) {
clientdata = (char*)data; clientdata = (char*)data;
clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */ if (clientdata[datalen - 1] != '\0') {
datalen--; /* Don't count NULL byte when passing to _start() */ trace_vnc_auth_fail(vs, vs->auth, "Malformed SASL client data",
"Missing SASL NUL padding byte");
sasl_dispose(&vs->sasl.conn);
vs->sasl.conn = NULL;
goto authabort;
}
datalen--; /* Discard the extra NUL padding byte */
} }
err = sasl_server_step(vs->sasl.conn, err = sasl_server_step(vs->sasl.conn,
@ -385,8 +391,14 @@ static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t l
/* NB, distinction of NULL vs "" is *critical* in SASL */ /* NB, distinction of NULL vs "" is *critical* in SASL */
if (datalen) { if (datalen) {
clientdata = (char*)data; clientdata = (char*)data;
clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */ if (clientdata[datalen - 1] != '\0') {
datalen--; /* Don't count NULL byte when passing to _start() */ trace_vnc_auth_fail(vs, vs->auth, "Malformed SASL client data",
"Missing SASL NUL padding byte");
sasl_dispose(&vs->sasl.conn);
vs->sasl.conn = NULL;
goto authabort;
}
datalen--; /* Discard the extra NUL padding byte */
} }
err = sasl_server_start(vs->sasl.conn, err = sasl_server_start(vs->sasl.conn,