io: monitor encoutput buffer size from websocket GSource
The websocket GSource is monitoring the size of the rawoutput buffer to determine if the channel can accepts more writes. The rawoutput buffer, however, is merely a temporary staging buffer before data is copied into the encoutput buffer. Thus its size will always be zero when the GSource runs. This flaw causes the encoutput buffer to grow without bound if the other end of the underlying data channel doesn't read data being sent. This can be seen with VNC if a client is on a slow WAN link and the guest OS is sending many screen updates. A malicious VNC client can act like it is on a slow link by playing a video in the guest and then reading data very slowly, causing QEMU host memory to expand arbitrarily. This issue is assigned CVE-2017-15268, publically reported in https://bugs.launchpad.net/qemu/+bug/1718964 Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
9cf961bba7
commit
a7b20a8efa
@ -28,7 +28,7 @@
|
|||||||
#include <time.h>
|
#include <time.h>
|
||||||
|
|
||||||
|
|
||||||
/* Max amount to allow in rawinput/rawoutput buffers */
|
/* Max amount to allow in rawinput/encoutput buffers */
|
||||||
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
|
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
|
||||||
|
|
||||||
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
|
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
|
||||||
@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source)
|
|||||||
if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
|
if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
|
||||||
cond |= G_IO_IN;
|
cond |= G_IO_IN;
|
||||||
}
|
}
|
||||||
if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
|
if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
|
||||||
cond |= G_IO_OUT;
|
cond |= G_IO_OUT;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user