Applied a fix from VNC 4.1.2 to close critical security issue.

author Constantin Kaplinsky <const@tightvnc.com>

Thu, 18 May 2006 11:32:30 +0000 (11:32 +0000)

committer Constantin Kaplinsky <const@tightvnc.com>

Thu, 18 May 2006 11:32:30 +0000 (11:32 +0000)
author Constantin Kaplinsky <const@tightvnc.com>
Thu, 18 May 2006 11:32:30 +0000 (11:32 +0000)
committer Constantin Kaplinsky <const@tightvnc.com>
Thu, 18 May 2006 11:32:30 +0000 (11:32 +0000)
diff --git a/rfb/SConnection.cxx b/rfb/SConnection.cxx

index f8a3f36a978d61b0c43e214a28692ee6c1ecf00d..1422b5469169709c89464f9e3b150f4848545614 100644 (file)
--- a/rfb/SConnection.cxx
+++ b/rfb/SConnection.cxx
@@ -178,6 +178,16 @@ void SConnection::processSecurityTypeMsg()
  {
    vlog.debug("processing security type message");
    int secType = is->readU8();
+
+  // Verify that the requested security type should be offered
+  std::list<rdr::U8> secTypes;
+  std::list<rdr::U8>::iterator i;
+  securityFactory->getSecTypes(&secTypes, reverseConnection);
+  for (i=secTypes.begin(); i!=secTypes.end(); i++)
+    if (*i == secType) break;
+  if (i == secTypes.end())
+    throw Exception("Requested security type not available");
+
    vlog.info("Client requests security type %s(%d)",
              secTypeName(secType),secType);
author	Constantin Kaplinsky <const@tightvnc.com>
	Thu, 18 May 2006 11:32:30 +0000 (11:32 +0000)
committer	Constantin Kaplinsky <const@tightvnc.com>
	Thu, 18 May 2006 11:32:30 +0000 (11:32 +0000)