From: Daniel P. Berrangé <[email protected]> When reading the SASL mechname array off the VNC connection, if malicious, the received data may contain embedded NULs. If this happens the memory buffer returned by g_strndup may be shorter than the original data. Unfortunately the code continued to index into this buffer with an offset equal to the original length. This is a potential OOB read of the array.
Fixes: 5847d9e1 (ui/vnc: simplify and avoid strncpy) Reported-by: boy juju <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> Message-ID: <[email protected]> --- ui/vnc-auth-sasl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ui/vnc-auth-sasl.c b/ui/vnc-auth-sasl.c index 9964b969ac2..298c8f3769f 100644 --- a/ui/vnc-auth-sasl.c +++ b/ui/vnc-auth-sasl.c @@ -489,6 +489,8 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_ char *mechname = g_strndup((const char *) data, len); trace_vnc_auth_sasl_mech_choose(vs, mechname); + /* If 'data' had embedded NUL the dup'd string might now be shorter */ + len = strlen(mechname); if (strncmp(vs->sasl.mechlist, mechname, len) == 0) { if (vs->sasl.mechlist[len] != '\0' && vs->sasl.mechlist[len] != ',') { -- 2.54.0
