diff options
| -rw-r--r-- | common/rfb/SSecurityPlain.cxx | 9 | ||||
| -rw-r--r-- | common/rfb/SSecurityPlain.h | 3 |
2 files changed, 11 insertions, 1 deletions
diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx index f5a5cc73..fc9dff23 100644 --- a/common/rfb/SSecurityPlain.cxx +++ b/common/rfb/SSecurityPlain.cxx @@ -86,13 +86,20 @@ bool SSecurityPlain::processMsg(SConnection* sc) if (state == 0) { if (!is->checkNoWait(8)) return false; + ulen = is->readU32(); + if (ulen > MaxSaneUsernameLength) + throw AuthFailureException("Too long username"); + plen = is->readU32(); + if (plen > MaxSanePasswordLength) + throw AuthFailureException("Too long password"); + state = 1; } if (state == 1) { - if (is->checkNoWait(ulen + plen + 2)) + if (!is->checkNoWait(ulen + plen)) return false; state = 2; pw = new char[plen + 1]; diff --git a/common/rfb/SSecurityPlain.h b/common/rfb/SSecurityPlain.h index 080fcd59..2c08c24e 100644 --- a/common/rfb/SSecurityPlain.h +++ b/common/rfb/SSecurityPlain.h @@ -54,6 +54,9 @@ namespace rfb { PasswordValidator* valid; unsigned int ulen, plen, state; CharArray username; + + static const unsigned int MaxSaneUsernameLength = 1024; + static const unsigned int MaxSanePasswordLength = 1024; }; } |