kumquat-buildroot/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch

From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:39:48 +0000
Subject: [PATCH] Prevent possible DoS attempts during protocol handshake

The limit for link message is specified using a 32 bit unsigned integer.
This could cause possible DoS due to excessive memory allocations and
some possible crashes.
For instance a value >= 2^31 causes a spice_assert to be triggered in
async_read_handler (reds-stream.c) due to an integer overflow at this
line:

   int n = async->end - async->now;

This could be easily triggered with a program like

  #!/usr/bin/env python

  import socket
  import time
  from struct import pack

  server = '127.0.0.1'
  port = 5900

  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((server, port))
  data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
  s.send(data)

  time.sleep(1)

without requiring any authentication (the same can be done
with TLS).

[Peter: fixes CVE-2016-9578]
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 server/reds.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/reds.c b/server/reds.c
index f40b65c1..86a33d53 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
 
     reds->peer_minor_version = header->minor_version;
 
-    if (header->size < sizeof(SpiceLinkMess)) {
+    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
+    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
         reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
         spice_warning("bad size %u", header->size);
         reds_link_free(link);
-- 
2.11.0
spice: add post-0.12.8 upstream security fixes Fixes the following security issues: CVE-2016-9577 Frediano Ziglio of Red Hat discovered a buffer overflow vulnerability in the main_channel_alloc_msg_rcv_buf function. An authenticated attacker can take advantage of this flaw to cause a denial of service (spice server crash), or possibly, execute arbitrary code. CVE-2016-9578 Frediano Ziglio of Red Hat discovered that spice does not properly validate incoming messages. An attacker able to connect to the spice server could send crafted messages which would cause the process to crash. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-06-22 00:07:44 +02:00			`From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001`
			`From: Frediano Ziglio <fziglio@redhat.com>`
			`Date: Tue, 13 Dec 2016 14:39:48 +0000`
			`Subject: [PATCH] Prevent possible DoS attempts during protocol handshake`

			`The limit for link message is specified using a 32 bit unsigned integer.`
			`This could cause possible DoS due to excessive memory allocations and`
			`some possible crashes.`
			`For instance a value >= 2^31 causes a spice_assert to be triggered in`
			`async_read_handler (reds-stream.c) due to an integer overflow at this`
			`line:`

			`int n = async->end - async->now;`

			`This could be easily triggered with a program like`

			`#!/usr/bin/env python`

			`import socket`
			`import time`
			`from struct import pack`

			`server = '127.0.0.1'`
			`port = 5900`

			`s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
			`s.connect((server, port))`
			`data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)`
			`s.send(data)`

			`time.sleep(1)`

			`without requiring any authentication (the same can be done`
			`with TLS).`

			`[Peter: fixes CVE-2016-9578]`
			`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
			`Acked-by: Christophe Fergeau <cfergeau@redhat.com>`
			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`server/reds.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/server/reds.c b/server/reds.c`
			`index f40b65c1..86a33d53 100644`
			`--- a/server/reds.c`
			`+++ b/server/reds.c`
			`@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)`

			`reds->peer_minor_version = header->minor_version;`

			`- if (header->size < sizeof(SpiceLinkMess)) {`
			`+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */`
			`+ if (header->size < sizeof(SpiceLinkMess) \|\| header->size > 4096) {`
			`reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);`
			`spice_warning("bad size %u", header->size);`
			`reds_link_free(link);`
			`--`
			`2.11.0`