Date: Sat, 10 Jun 2017 09:50:20 -0700 From: Conrad Meyer <cem@freebsd.org> To: Marcelo Araujo <araujo@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r319487 - head/usr.sbin/bhyve Message-ID: <CAG6CVpUohZppgV%2BKXNHsvhFkXvw3rtd20iGSi3P=vDAG%2Bs6vjw@mail.gmail.com> In-Reply-To: <201706020235.v522ZGeC076100@repo.freebsd.org> References: <201706020235.v522ZGeC076100@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Additionally, one more issue pointed out by Coverity below :-). On Thu, Jun 1, 2017 at 7:35 PM, Marcelo Araujo <araujo@freebsd.org> wrote: > Author: araujo > Date: Fri Jun 2 02:35:16 2017 > New Revision: 319487 > URL: https://svnweb.freebsd.org/changeset/base/319487 > > Log: > Add VNC Authentication support based on RFC6143 section 7.2.2. > > ... > Modified: head/usr.sbin/bhyve/rfb.c > ============================================================================== > --- head/usr.sbin/bhyve/rfb.c Fri Jun 2 01:00:40 2017 (r319486) > +++ head/usr.sbin/bhyve/rfb.c Fri Jun 2 02:35:16 2017 (r319487) > ... > @@ -739,8 +754,19 @@ rfb_handle(struct rfb_softc *rc, int cfd) > { > const char *vbuf = "RFB 003.008\n"; > unsigned char buf[80]; > + unsigned char *message; Message is uninitialized. > + > +#ifndef NO_OPENSSL > + unsigned char challenge[AUTH_LENGTH]; > + unsigned char keystr[PASSWD_LENGTH]; > + unsigned char crypt_expected[AUTH_LENGTH]; > + > + DES_key_schedule ks; > + int i; > +#endif > + > pthread_t tid; > - uint32_t sres; > + uint32_t sres; sres is also uninitialized. > int len; > > rc->cfd = cfd; > @@ -751,19 +777,91 @@ rfb_handle(struct rfb_softc *rc, int cfd) > /* 1b. Read client version */ > len = read(cfd, buf, sizeof(buf)); > > - /* 2a. Send security type 'none' */ > + /* 2a. Send security type */ > buf[0] = 1; > - buf[1] = 1; /* none */ > +#ifndef NO_OPENSSL > + if (rc->password) > + buf[1] = SECURITY_TYPE_VNC_AUTH; > + else > + buf[1] = SECURITY_TYPE_NONE; > +#else > + buf[1] = SECURITY_TYPE_NONE; > +#endif > + > stream_write(cfd, buf, 2); > > - > /* 2b. Read agreed security type */ > len = stream_read(cfd, buf, 1); A malicious server negotiation could respond in ways that break later assumptions: 1. Respond to NONE with VNC_AUTH. In this case rc->password will be NULL and strncpy() below will cause a SIGSEGV. 2. Respond to VNC_AUTH with a bogus value. In this case, neither sres nor message is ever initialized. > ... > + /* 2d. Write back a status */ > stream_write(cfd, &sres, 4); Bogus sres could be used here. > > + if (sres) { > + *((uint32_t *) buf) = htonl(strlen(message)); Bogus message could be dereferenced here, resulting in SIGSEGV. Additionally, aliasing char array buf via a uint32_t pointer is invalid C. I'd suggest instead: be32enc(buf, strlen(message)); > + stream_write(cfd, buf, 4); > + stream_write(cfd, message, strlen(message)); > + goto done; > + } > + > /* 3a. Read client shared-flag byte */ > len = stream_read(cfd, buf, 1); > > ... Best, Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpUohZppgV%2BKXNHsvhFkXvw3rtd20iGSi3P=vDAG%2Bs6vjw>