e0809fcc4b
The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.
This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.
This issue is assigned CVE-2017-15268, publically reported in
https://bugs.launchpad.net/qemu/+bug/1718964
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| Makefile.objs | ||
| channel-buffer.c | ||
| channel-command.c | ||
| channel-file.c | ||
| channel-socket.c | ||
| channel-tls.c | ||
| channel-util.c | ||
| channel-watch.c | ||
| channel-websock.c | ||
| channel.c | ||
| dns-resolver.c | ||
| task.c | ||
| trace-events | ||