diff options
author | Christian Beier <dontmind@freeshell.org> | 2019-01-06 15:13:56 +0100 |
---|---|---|
committer | Christian Beier <dontmind@freeshell.org> | 2019-01-06 15:13:56 +0100 |
commit | 15bb719c03cc70f14c36a843dcb16ed69b405707 (patch) | |
tree | d8aab6805181a9b7bf41124d157f050b0010cc31 /libvncserver | |
parent | a64c3b37af9a6c8f8009d7516874b8d266b42bae (diff) | |
download | libtdevnc-15bb719c03cc70f14c36a843dcb16ed69b405707.tar.gz libtdevnc-15bb719c03cc70f14c36a843dcb16ed69b405707.zip |
Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
re #273
Diffstat (limited to 'libvncserver')
-rw-r--r-- | libvncserver/rfbserver.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index 6ca511f..e210a32 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) int n=0; FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); + /* - rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); + We later alloc length+1, which might wrap around on 32-bit systems if length equals + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. */ + if(length == SIZE_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; + } + if (length>0) { - buffer=malloc((uint64_t)length+1); + buffer=malloc((size_t)length+1); if (buffer!=NULL) { if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { if (n != 0) |