CVE-2015-1779: limit size of HTTP headers from websockets clients - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Daniel P. Berrange <berrange@redhat.com>	2015-03-23 22:58:22 +0000
committer	Gerd Hoffmann <kraxel@redhat.com>	2015-04-01 17:12:55 +0200
commit	2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 (patch)
tree	6c56b659ac57e398ef32f2a5f77dc9ba95a7d65f /util/qemu-config.c
parent	a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e (diff)
download	focaccia-qemu-2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41.tar.gz focaccia-qemu-2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41.zip

CVE-2015-1779: limit size of HTTP headers from websockets clients

The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.

A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Diffstat (limited to 'util/qemu-config.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: