| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Provides safety against them accidentally becoming negative because
of bugs in the calculations.
Also does the same to CharArray and friends as they were strongly
connection to the stream objects.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we might be tricked in to reading and writing things at
incorrect offsets for pixels which ultimately could result in an
attacker writing things to the stack or heap and executing things
they shouldn't.
This only affects the server as the client never uses the pixel
format suggested by th server.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.
This could theoretically be used by a malicious server to inject
code in to the viewer process.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
|
|
|
|
|
| |
No one should every try to write to this buffer. Enforce that by
throwing an exception if any one tries to get a writeable pointer
to the data.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do a lot of calculations based on pixel coordinates and we need
to make sure they do not overflow. Restrict the maximum dimensions
we support rather than try to switch over all calculations to use
64 bit integers.
This prevents attackers from from injecting code by specifying a
huge framebuffer size and relying on the values overflowing to
access invalid areas of the heap.
This primarily affects the client which gets both the screen
dimensions and the pixel contents from the remote side. But the
server might also be affected as a client can adjust the screen
dimensions, as can applications inside the session.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
|
|
|
|
|
| |
Don't allow subclasses to just override dimensions or buffer details
directly and instead force them to go via methods. This allows us
to do sanity checks on the new values and catch bugs and attacks.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.
A malicious server could theoretically use this for remote code
execution in the client.
Issue found by Pavel Cheremushkin from Kaspersky Lab
|
|\ |
|
| | |
|
| |
| |
| |
| |
| | |
We need to examine the incoming PixelBuffer, not the previous one
(which might not even be valid).
|
|/
|
|
|
|
|
|
| |
We need to check the buffer length before accessing the incoming
string. Probably not a problem in practice as there should be a
final null in most incoming strings.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Implements support in both client and server for the extended
clipboard format first seen in UltraVNC. Currently only implements
text handling, but that is still an improvement as it extends the
clipboard from ISO 8859-1 to full Unicode.
|
| |
| |
| |
| |
| | |
In prepartion for better clipboard extensions that can send Unicode
data between the client and server.
|
| |
| |
| |
| |
| | |
Change the internal clipboard API to use a request based model in
order to be prepared for more advanced clipboard transfers.
|
| |
| |
| |
| |
| | |
We convert between UTF-8 and ISO 8859-1 (latin 1) in several places
so create some common routines for this.
|
| |
| |
| |
| |
| |
| | |
We now filter incoming data, which means we can start assuming the
clipboard data is always null terminated. This allows us to clean
up a lot of the internal handling.
|
| |
| |
| |
| |
| |
| | |
This is required by the protocol so we should make sure it is
enforced. We are tolerant of clients that violate this though and
convert incoming clipboard data.
|
| |
| |
| |
| |
| | |
It was unused and added complexity and bugs to the code. So let's
remove it rather than trying to clean up a function no one needed.
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Result of overflow on signed integer arithmetic is undefined in C/C++ standard.
So in previous version clang was compiling the statement as (int)a > (int)b (i.e. assuming no overflow), which leads to incorrect result.
Correct deterministic behavior means doing overflow arithmetic as unsigned, i.e.
a != b && a - b <= UINT_MAX / 2
|
| |
| |
| |
| |
| | |
We will log the exception, so avoid direct writes to stderr by
simply removing these log lines.
|
| | |
|
|/ |
|
|
|
|
|
|
| |
There is some bug in gcc's new -Werror=format-overflow that makes it
think majorVersion could end up being very large. Increase the target
buffer for now to keep gcc happy.
|
| |
|
|
|
|
|
|
|
| |
This provides some basic rate limiting that will make it difficult
for an attacker to brute force passwords. Only relevant when the
blacklist is disabled as otherwise the attacker only gets a very
limited number of attempts.
|
|
|
|
|
| |
It is not enough to create an exception object, you need to throw
it as well.
|
|
|
|
|
|
| |
There might be multiple clients using a single IP (e.g. NAT), which
can make the blacklist do more harm than good. So add a setting to
disable it if needed.
|
|
|
|
|
| |
No need to expose these, so keep them internal to the implementation,
like most settings are.
|
|\ |
|
| | |
|
| | |
|
|\| |
|
| |
| |
| |
| |
| | |
Add more checks and fix some callers to make sure that the server
core always has a valid screen layout configured.
|
| | |
|
| |
| |
| |
| |
| |
| | |
Make the API consisitent by requiring the caller to check what the client
supports before calling any of the write* functions. This avoids the
confusion that the functions might not always do anything.
|
| |
| |
| |
| |
| |
| | |
Avoid having the callers need to know about the different variants
of these functions and instead have the writer pick the most appropriate
extension.
|
| |
| |
| |
| |
| |
| | |
This is what the protocol requires, rather than sending what the
client specified in the request. This should be the same in practice
except for failures and possibly some races.
|
| |
| |
| |
| |
| |
| | |
ServerParams should contain the server state and not information about
client settings or capabilities. Move those things up a level to the
CConnection object.
|
| |
| |
| |
| |
| |
| | |
No need to have one setting for each extension. All the client code
needs to indicate is if it supports resize. The common code can then
map this to relevant extensions.
|
| |
| |
| |
| | |
It needs to be validated and take effect in the server first.
|
| |
| |
| |
| | |
These were either completely unused, or always true.
|
| |
| |
| |
| |
| | |
Tight is the default preferred encoding, so we don't really need
special handling for it to be first in the list.
|
| |
| |
| |
| |
| | |
This is a lot safer and cleaner. The old code had a fixed size that
we didn't properly keep track of.
|
| |
| |
| |
| |
| |
| | |
Make sure all methods only write what is given as arguments, and
avoid side effects by getting data from parameter objects. This keeps
things readable in the calling code.
|
| |
| |
| |
| |
| | |
It's a generic client thing, so abstract it in to the common library.
Makes it easier to integrate with other common code.
|