[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] libvnc and tightvnc vulnerabilities
From: Solar Designer <solar () openwall ! com>
Date: 2018-12-13 10:39:29
Message-ID: 20181213103929.GA16401 () openwall ! com
[Download RAW message or body]
On Mon, Dec 10, 2018 at 07:57:21PM +0100, Solar Designer wrote:
> https://github.com/LibVNC/libvncserver/issues/247
>
> Upstream's fix appears to be to add casts to (uint64_t) before adding 1
> in those many malloc() calls. On platforms with larger than 32-bit
> size_t, this should be sufficient against integer overflows since the
> sizes are read from 32-bit protocol fields, but it isn't sufficient to
> prevent maliciously large memory allocation on the client by a rogue
> server. On a platform with 32-bit size_t, this isn't even sufficient to
> prevent the integer overflows. If I haven't missed anything, it'd be
> great if you open a new issue suggesting introduction of safety limits
> prior to those malloc() lines.
> [...] per the commits referenced in issue #247 above, there are many more
> instances of the "malloc(... + 1)" pattern, which were patched similarly
> incompletely.
I've just created this issue:
SECURITY: malloc((uint64_t)length + 1) is unsafe, especially on 32-bit systems
https://github.com/LibVNC/libvncserver/issues/273
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic