summaryrefslogtreecommitdiffstats
path: root/libvncserver
diff options
context:
space:
mode:
authorChristian Beier <dontmind@freeshell.org>2019-01-06 15:13:56 +0100
committerChristian Beier <dontmind@freeshell.org>2019-01-06 15:13:56 +0100
commit15bb719c03cc70f14c36a843dcb16ed69b405707 (patch)
treed8aab6805181a9b7bf41124d157f050b0010cc31 /libvncserver
parenta64c3b37af9a6c8f8009d7516874b8d266b42bae (diff)
downloadlibtdevnc-15bb719c03cc70f14c36a843dcb16ed69b405707.tar.gz
libtdevnc-15bb719c03cc70f14c36a843dcb16ed69b405707.zip
Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
re #273
Diffstat (limited to 'libvncserver')
-rw-r--r--libvncserver/rfbserver.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 6ca511f..e210a32 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
int n=0;
FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
+
/*
- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
+ We later alloc length+1, which might wrap around on 32-bit systems if length equals
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
+ without problems as length is a uint32_t.
*/
+ if(length == SIZE_MAX) {
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
+ rfbCloseClient(cl);
+ return NULL;
+ }
+
if (length>0) {
- buffer=malloc((uint64_t)length+1);
+ buffer=malloc((size_t)length+1);
if (buffer!=NULL) {
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
if (n != 0)