From: Christian Beier Date: Sat, 29 Sep 2018 20:55:24 +0200 Subject: When connecting to a repeater, only send initialised string Origin: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20023 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/253 Closes #253 --- examples/repeater.c | 10 ++++++++-- libvncclient/rfbproto.c | 8 ++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) --- a/examples/repeater.c +++ b/examples/repeater.c @@ -12,6 +12,7 @@ char *repeaterHost; int repeaterPort, sock; char id[250]; + int idlen; rfbClientPtr cl; int i,j; @@ -23,7 +24,12 @@ "Usage: %s []\n", argv[0]); exit(1); } - snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]); + idlen = snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]); + if(idlen < 0 || idlen >= (int)sizeof(id)) { + fprintf(stderr, "Error, given ID is probably too long.\n"); + return 1; + } + repeaterHost = argv[2]; repeaterPort = argc < 4 ? 5500 : atoi(argv[3]); @@ -48,7 +54,7 @@ perror("connect to repeater"); return 1; } - if (write(sock, id, sizeof(id)) != sizeof(id)) { + if (write(sock, id, idlen+1) != idlen+1) { perror("writing id"); return 1; } --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -487,6 +487,7 @@ rfbProtocolVersionMsg pv; int major,minor; char tmphost[250]; + int tmphostlen; #ifdef LIBVNCSERVER_IPv6 client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort); @@ -522,8 +523,11 @@ rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor); - snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); - if (!WriteToRFBServer(client, tmphost, sizeof(tmphost))) + tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); + if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost)) + return FALSE; /* snprintf error or output truncated */ + + if (!WriteToRFBServer(client, tmphost, tmphostlen + 1)) return FALSE; return TRUE;