From b0a491e9877568719394e9a273035b6613c5c289 Mon Sep 17 00:00:00 2001
From: Constantin Kaplinsky <const@tightvnc.com>
Date: Thu, 18 May 2006 11:32:30 +0000
Subject: [PATCH] Applied a fix from VNC 4.1.2 to close critical security
 issue.

git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@560 3789f03b-4d11-0410-bbf8-ca57d06f2519
---
 rfb/SConnection.cxx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/rfb/SConnection.cxx b/rfb/SConnection.cxx
index f8a3f36a..1422b546 100644
--- a/rfb/SConnection.cxx
+++ b/rfb/SConnection.cxx
@@ -178,6 +178,16 @@ void SConnection::processSecurityTypeMsg()
 {
   vlog.debug("processing security type message");
   int secType = is->readU8();
+
+  // Verify that the requested security type should be offered
+  std::list<rdr::U8> secTypes;
+  std::list<rdr::U8>::iterator i;
+  securityFactory->getSecTypes(&secTypes, reverseConnection);
+  for (i=secTypes.begin(); i!=secTypes.end(); i++)
+    if (*i == secType) break;
+  if (i == secTypes.end())
+    throw Exception("Requested security type not available");
+
   vlog.info("Client requests security type %s(%d)",
             secTypeName(secType),secType);
 
-- 
2.39.5