aboutsummaryrefslogtreecommitdiffstats
path: root/common/rfb
Commit message (Collapse)AuthorAgeFilesLines
* Use size_t for lengths in stream objectsPierre Ossman2019-11-155-16/+17
| | | | | | | | Provides safety against them accidentally becoming negative because of bugs in the calculations. Also does the same to CharArray and friends as they were strongly connection to the stream objects.
* Add sanity checks for PixelFormat shift valuesPierre Ossman2019-11-151-0/+7
| | | | | | | | | | | | Otherwise we might be tricked in to reading and writing things at incorrect offsets for pixels which ultimately could result in an attacker writing things to the stack or heap and executing things they shouldn't. This only affects the server as the client never uses the pixel format suggested by th server. Issue found by Pavel Cheremushkin from Kaspersky Lab.
* Fix depth sanity test in PixelFormatPierre Ossman2019-11-151-1/+1
|
* Add unit test for PixelFormat sanity checksPierre Ossman2019-11-151-1/+2
|
* Handle empty Tight gradient rectsPierre Ossman2019-11-151-16/+21
| | | | | | | | | | We always assumed there would be one pixel per row so a rect with a zero width would result in us writing to unknown memory. This could theoretically be used by a malicious server to inject code in to the viewer process. Issue found by Pavel Cheremushkin from Kaspersky Lab.
* Add write protection to OffsetPixelBufferPierre Ossman2019-11-152-0/+9
| | | | | | No one should every try to write to this buffer. Enforce that by throwing an exception if any one tries to get a writeable pointer to the data.
* Restrict PixelBuffer dimensions to safe valuesPierre Ossman2019-11-151-0/+22
| | | | | | | | | | | | | | | | | | We do a lot of calculations based on pixel coordinates and we need to make sure they do not overflow. Restrict the maximum dimensions we support rather than try to switch over all calculations to use 64 bit integers. This prevents attackers from from injecting code by specifying a huge framebuffer size and relying on the values overflowing to access invalid areas of the heap. This primarily affects the client which gets both the screen dimensions and the pixel contents from the remote side. But the server might also be affected as a client can adjust the screen dimensions, as can applications inside the session. Issue found by Pavel Cheremushkin from Kaspersky Lab.
* Encapsulate PixelBuffer internal detailsPierre Ossman2019-11-154-50/+78
| | | | | | Don't allow subclasses to just override dimensions or buffer details directly and instead force them to go via methods. This allows us to do sanity checks on the new values and catch bugs and attacks.
* Make ZlibInStream more robust against failuresPierre Ossman2019-11-154-4/+8
| | | | | | | | | | | | Move the checks around to avoid missing cases where we might access memory that is no longer valid. Also avoid touching the underlying stream implicitly (e.g. via the destructor) as it might also no longer be valid. A malicious server could theoretically use this for remote code execution in the client. Issue found by Pavel Cheremushkin from Kaspersky Lab
* Merge branch 'fix-mistake' of https://github.com/gschwind/tigervncPierre Ossman2019-10-141-2/+2
|\
| * fix to early remove of iterator in VNCServerST::removeSocketBenoit Gschwind2019-08-241-2/+2
| |
* | Fix bad PixelBuffer reference in VNCServerST::setPixelBuffer()Pierre Ossman2019-10-041-1/+1
| | | | | | | | | | We need to examine the incoming PixelBuffer, not the previous one (which might not even be valid).
* | Fix length checks in string conversion functionsPierre Ossman2019-09-251-16/+16
|/ | | | | | | | We need to check the buffer length before accessing the incoming string. Probably not a problem in practice as there should be a final null in most incoming strings. Issue found by Pavel Cheremushkin from Kaspersky Lab.
* Merge branch 'exclipboard' of https://github.com/CendioOssman/tigervncPierre Ossman2019-07-0131-88/+1629
|\
| * Support extended clipboard transfersPierre Ossman2019-07-0122-37/+807
| | | | | | | | | | | | | | Implements support in both client and server for the extended clipboard format first seen in UltraVNC. Currently only implements text handling, but that is still an improvement as it extends the clipboard from ISO 8859-1 to full Unicode.
| * Use UTF-8 in clipboard APIPierre Ossman2019-07-014-4/+234
| | | | | | | | | | In prepartion for better clipboard extensions that can send Unicode data between the client and server.
| * Improved clipboard APIPierre Ossman2019-07-0110-49/+342
| | | | | | | | | | Change the internal clipboard API to use a request based model in order to be prepared for more advanced clipboard transfers.
| * Add UTF-8 to/from ISO 8859-1 conversion routinesPierre Ossman2019-07-012-0/+175
| | | | | | | | | | We convert between UTF-8 and ISO 8859-1 (latin 1) in several places so create some common routines for this.
| * Clean up internal clipboard handlingPierre Ossman2019-07-0113-25/+30
| | | | | | | | | | | | We now filter incoming data, which means we can start assuming the clipboard data is always null terminated. This allows us to clean up a lot of the internal handling.
| * Make sure clipboard uses \n line endingsPierre Ossman2019-07-017-6/+74
| | | | | | | | | | | | This is required by the protocol so we should make sure it is enforced. We are tolerant of clients that violate this though and convert incoming clipboard data.
* | Remove max area parameter from Region::get_rects()Pierre Ossman2019-06-242-12/+5
| | | | | | | | | | It was unused and added complexity and bugs to the code. So let's remove it rather than trying to clean up a function no one needed.
* | Merge branch 'master' of https://github.com/lprylli/tigervncPierre Ossman2019-05-091-1/+1
|\ \ | |/ |/|
| * Fix wrap-aware isAfter function in Congestion.cxxLoic Prylli2019-04-271-1/+1
| | | | | | | | | | | | | | | | Result of overflow on signed integer arithmetic is undefined in C/C++ standard. So in previous version clang was compiling the statement as (int)a > (int)b (i.e. assuming no overflow), which leads to incorrect result. Correct deterministic behavior means doing overflow arithmetic as unsigned, i.e. a != b && a - b <= UINT_MAX / 2
* | Remove unneeded logging from ZRLE decoderPierre Ossman2019-04-291-2/+0
| | | | | | | | | | We will log the exception, so avoid direct writes to stderr by simply removing these log lines.
* | Do proper logging rather than fprintf(stderr, ...)Pierre Ossman2019-04-295-12/+21
| |
* | Remove commented out loggingPierre Ossman2019-04-291-2/+0
|/
* Increase version string buffer size for gccPierre Ossman2019-04-011-1/+1
| | | | | | There is some bug in gcc's new -Werror=format-overflow that makes it think majorVersion could end up being very large. Increase the target buffer for now to keep gcc happy.
* Remove unused force protocol 3.3 codePierre Ossman2019-04-012-8/+2
|
* Add delay on authentication failuresPierre Ossman2019-04-014-6/+45
| | | | | | | This provides some basic rate limiting that will make it difficult for an attacker to brute force passwords. Only relevant when the blacklist is disabled as otherwise the attacker only gets a very limited number of attempts.
* Add missing throws for exceptionPierre Ossman2019-03-261-5/+5
| | | | | It is not enough to create an exception object, you need to throw it as well.
* Allow blacklist to be disabledPierre Ossman2019-03-251-0/+7
| | | | | | There might be multiple clients using a single IP (e.g. NAT), which can make the blacklist do more harm than good. So add a setting to disable it if needed.
* Move Blacklist parameters out of the classPierre Ossman2019-03-252-11/+10
| | | | | No need to expose these, so keep them internal to the implementation, like most settings are.
* Merge branch 'vmware' of https://github.com/CendioOssman/tigervncPierre Ossman2018-12-107-6/+163
|\
| * Add support for VMware LED statusPierre Ossman2018-12-106-5/+34
| |
| * Add support for VMware cursorsPierre Ossman2018-12-107-1/+129
| |
* | Merge branch 'connparams' of https://github.com/CendioOssman/tigervncPierre Ossman2018-12-1048-820/+1129
|\|
| * Make sure we always have a valid screen layoutPierre Ossman2018-12-101-6/+9
| | | | | | | | | | Add more checks and fix some callers to make sure that the server core always has a valid screen layout configured.
| * Handle line breaks in log messagesPierre Ossman2018-12-101-1/+10
| |
| * Require all SMsgWriter caller to check capabilitiesPierre Ossman2018-12-103-21/+18
| | | | | | | | | | | | Make the API consisitent by requiring the caller to check what the client supports before calling any of the write* functions. This avoids the confusion that the functions might not always do anything.
| * Abstract sending cursor and resizing the desktopPierre Ossman2018-12-105-158/+93
| | | | | | | | | | | | Avoid having the callers need to know about the different variants of these functions and instead have the writer pick the most appropriate extension.
| * Always send current screen layout to clientPierre Ossman2018-12-103-19/+7
| | | | | | | | | | | | This is what the protocol requires, rather than sending what the client specified in the request. This should be the same in practice except for failures and possibly some races.
| * Move client attributes out of ServerParamsPierre Ossman2018-11-014-23/+26
| | | | | | | | | | | | ServerParams should contain the server state and not information about client settings or capabilities. Move those things up a level to the CConnection object.
| * Merge client resize capabilitiesPierre Ossman2018-11-014-4/+28
| | | | | | | | | | | | No need to have one setting for each extension. All the client code needs to indicate is if it supports resize. The common code can then map this to relevant extensions.
| * Don't update screen layout directly on incoming client requestPierre Ossman2018-11-012-9/+2
| | | | | | | | It needs to be validated and take effect in the server first.
| * Remove unused flags from ServerParamsPierre Ossman2018-11-013-12/+2
| | | | | | | | These were either completely unused, or always true.
| * Simplify encoding list generatorPierre Ossman2018-11-011-30/+2
| | | | | | | | | | Tight is the default preferred encoding, so we don't really need special handling for it to be first in the list.
| * Use STL list for encoding listPierre Ossman2018-11-013-27/+29
| | | | | | | | | | This is a lot safer and cleaner. The old code had a fixed size that we didn't properly keep track of.
| * Make arguments explicit in all message writer methodsPierre Ossman2018-11-017-87/+88
| | | | | | | | | | | | Make sure all methods only write what is given as arguments, and avoid side effects by getting data from parameter objects. This keeps things readable in the calling code.
| * Move update request handling in to CConnectionPierre Ossman2018-11-012-0/+203
| | | | | | | | | | It's a generic client thing, so abstract it in to the common library. Makes it easier to integrate with other common code.
| * Let CMsgHandler::serverInit() handle initial set upPierre Ossman2018-11-015-12/+32
| | | | | | | | | | | | | | Avoid using the callbacks used for runtime changes for the initial setup. They weren't really useful anyway as you could not allocate a framebuffer without also knowing the pixel format. So make things more clear by letting serverInit() get the initial settings.