On Fri, Aug 02, 2024 at 02:41:18PM +0000, Dane Bouchie wrote:
> The client chooses the security type, so they can pass in "None" to the
> switch statement. is_allowed_security_type() now prevents that.
Oh, so was the issue a trivial authentication bypass? Evidently, logic
errors like this are easy to miss in plain sight.
switch (type) {
case RFB_SECURITY_TYPE_NONE:
security_handshake_ok(client, NULL);
client->state = VNC_CLIENT_STATE_WAITING_FOR_INIT;
break;
Should the above RFB_SECURITY_TYPE_NONE support continue to exist in the
code at all, if RFB_SECURITY_TYPE_NONE is never added to the allowed
security types array that the code now pre-checks against? Maybe it
should be #if 0'ed out, leaving it only as an example for debugging?
Thank you for the extremely prompt response.
Alexander
